On the adoption of static analysis for software security assessment-A case study of an open-source e-government project

被引：13

作者：

Anh Nguyen-Duc ^{[1
]}

Manh Viet Do ^{[2
]}

Quan Luong Hong ^{[2
]}

Kiem Nguyen Khac ^{[3
]}

Anh Nguyen Quang ^{[4
]}

机构：

[1] Univ South Eastern Norway, Notodden, Norway

[2] MQ ICT SOLUT, Viet Nam, Hanoi, Vietnam

[3] Hanoi Univ Sci & Technol, Hanoi, Vietnam

[4] Univ Transport & Commun, Hanoi, Vietnam

来源：

COMPUTERS & SECURITY | 2021年 / 111卷

关键词：

Security testing; Software vulnerability; SAST; Case studies; Experiments; Combined SAST tools; empirical study; e-government;

D O I：

10.1016/j.cose.2021.1024700167

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development for security assessment poses various technical and managerial challenges. In this work, we reported results from a case study of adopting SAST as a part of a human-driven security assessment process in an open-source e-govemment project. We described how SASTs are selected, evaluated, and combined into a novel approach and adopted by security experts for software security assessment. The approach was preliminarily evaluated using semi structured interviews. Our results show that while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tools. The combined approach has the potential to aid the security assessment process for open-source software. (c) 2021 Published by Elsevier Ltd.

引用

页数：14

共 29 条

[21] Okun Vadim, 2013, Report on the Static Analysis Tool Exposition (SATE) IV, V500, P297
[22] Oyetoyan T.D., EMPIRICAL STUDY RELA
[23] Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital
Oyetoyan, Tosin Daniel
Milosheska, Bisera
Grini, Mari
Cruzes, Daniela Soares
[J]. AGILE PROCESSES IN SOFTWARE ENGINEERING AND EXTREME PROGRAMMING, XP 2018, 2018, 314 : 86 - 103
[24] FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools
Pashchenko, Ivan
[J]. ESEC/FSE 2017: PROCEEDINGS OF THE 2017 11TH JOINT MEETING ON FOUNDATIONS OF SOFTWARE ENGINEERING, 2017, : 1056 - 1058
[25] Software security testing
Potter, B
McGraw, G
[J]. IEEE SECURITY & PRIVACY, 2004, 2 (05) : 81 - 85
[26] Rao Velicheti LakshmiManohar., 2014, P 9 ANN CYBER INFORM, P17
[27] Sergio de Simone, INFOQ
[28] The public value of E-Government - A literature review
Twizeyimana, Jean Damascene
Andersson, Annika
[J]. GOVERNMENT INFORMATION QUARTERLY, 2019, 36 (02) : 167 - 178
[29] User-Centeredness and Usability in E-government - a Reflection on a Case Study in Rwanda
Twizeyimana, Jean Damascene
[J]. INTERNATIONAL CONFERENCE ON ELECTRONIC GOVERNANCE AND OPEN SOCIETY: CHALLENGES IN EURASIA (EGOSE 2017), 2017, : 172 - 178

← 1 2 3 →