Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?

Author

Baca, Dejan ; Petersen, Kai ; Carlsson, Bengt ; Lundberg, Lars

Author_Institution

Sch. of Eng., Blekinge Inst. of Technol., Blekinge

fYear

2009

fDate

16-19 March 2009

Firstpage

804

Lastpage

810

Abstract

Code reviews with static analysis tools are today recommended by several security development processes. Developers are expected to use the tools´ output to detect the security threats they themselves have introduced in the source code. This approach assumes that all developers can correctly identify a warning from a static analysis tool (SAT) as a security threat that needs to be corrected. We have conducted an industry experiment with a state of the art static analysis tool and real vulnerabilities. We have found that average developers do not correctly identify the security warnings and only developers with specific experiences are better than chance in detecting the security vulnerabilities. Specific SAT experience more than doubled the number of correct answers and a combination of security experience and SAT experience almost tripled the number of correct security answers.

Keywords

program diagnostics; security of data; software maintenance; legacy code; software security; static code analysis; vulnerability detection; Availability; Computer languages; Detectors; Fault detection; Fault diagnosis; Reliability engineering; Security; Software systems; coverity; experience; industry experiment; prevent; security; software security; static analysis; static code analysis; vulnerabilities;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security, 2009. ARES '09. International Conference on

Conference_Location

Fukuoka

Print_ISBN

978-1-4244-3572-2

Electronic_ISBN

978-0-7695-3564-7

Type

conf

DOI

10.1109/ARES.2009.163

Filename

5066568