Software security analysis - execution phase audit

Author

Carlsson, Bengt ; Baca, Dejan

Author_Institution

Sch. of Eng., Blekinge Inst. of Technol., Ronneby, Sweden

fYear

2005

fDate

30 Aug.-3 Sept. 2005

Firstpage

240

Lastpage

247

Abstract

Code revision of a leading telecom product was performed, combining manual audit and static analysis tools. On average, one exploitable vulnerability was found for every 4000 lines of code. Half of the located threats in the product were buffer overflows followed by race condition, misplaced trust, and poor random generators. Static analysis tools were used to speed up the revision process and to integrate security tests into the overall project process. The discussion analyses the effectiveness of automatic tools for auditing software. Furthermore, the incorporation of the software security analysis into the development process, and the results and costs of the security analysis is discussed. From the initial 42 workdays used for finding all vulnerabilities, approximately 16 days were needed for finding and correcting 91.5 % of the vulnerabilities. So, proportionally small investments improve the program code security by integrating an automatic auditing tool into the ordinary execution of source code revision.

Keywords

program diagnostics; security of data; software tools; source coding; automatic auditing tool; buffer overflow; execution phase audit; program code security; software auditing; software development process; software security; source code revision; static analysis tool; telecom product; Application software; Costs; Investments; Open source software; Performance analysis; Security; Software measurement; Software tools; Telecommunications; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Engineering and Advanced Applications, 2005. 31st EUROMICRO Conference on

Print_ISBN

0-7695-2431-1

Type

conf

DOI

10.1109/EUROMICRO.2005.53

Filename

1517748