IMPROVING SOFTWARE RELIABILITY AND SECURITY WITH AUTOMATED ANALYSIS

Static-analysis tools that identify defects and security vulnerabilities in source and executables have advanced significantly over the last few years. A brief description of how these tools work is given. Their strengths and weaknesses in terms of the kinds of flaws they can and cannot detect are discussed. Methods for quantifying the accuracy of the analysis are described, including sources of ambiguity for such metrics. Recommendations for deployment of tools in a production setting are given.