Evaluating the Cost Reduction of Static Code Analysis for Software Security

被引:19
作者
Baca, Dejan [1 ]
Carlsson, Bengt [1 ]
Lundberg, Lars [1 ]
机构
[1] Blekinge Inst Technol, Sch Engn, Karlshamn, Sweden
来源
PLAS'08: PROCEEDINGS OF THE ACM SIGPLAN THIRD WORKSHOP ON PROGRAMMING LANGUAGES AND ANALYSIS FOR SECURITY | 2008年
关键词
Security; Static code analysis; trouble report; early fault detection; code quality improvement; cost reduction; source code; false positive; Coverity Prevent;
D O I
10.1145/1375696.1375707
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Automated static code analysis is an efficient technique to increase the quality of software during early development. This paper presents a case study in which mature software with known vulnerabilities is subjected to a static analysis tool. The value of the tool is estimated based on reported failures from customers. An average of 17% cost savings would have been possible if the static analysis tool was used. The tool also had a 30% success rate in detecting known vulnerabilities and at the same time found 59 new vulnerabilities in the three examined products.
引用
收藏
页码:79 / 88
页数:10
相关论文
共 17 条
[1]  
BOEHM BW, 2001, IEEE COMPUTER, V34
[2]  
BOEHM BW, 1983, SOFTWARE ENG EC
[3]   A comprehensive evaluation of capture-recapture models for estimating software defect content [J].
Briand, LC ;
El Emam, K ;
Freimut, BG ;
Laitenberger, O .
IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2000, 26 (06) :518-540
[4]  
CARLSSON B, 2005, 31 EUROMICRO C
[5]  
CHESS B, 2004, IEEE SECURITY PRIVAC, V2
[6]  
DAMM LO, 2006, J SOFTWARE PROCESS I, V11, P47
[7]   Improving security using extensible lightweight static analysis [J].
Evans, D ;
Larochelle, D .
IEEE SOFTWARE, 2002, 19 (01) :42-+
[8]  
Hallem S., 2002, P 2002 ACM SIGPLAN C
[9]  
JOHNSON SC, 1978, 65 BELL LAB
[10]  
LANDWEHR CE, 1981, COMPUT SURV, V13, P247, DOI 10.1145/356850.356852
12