Of Massive Static Analysis Data

Author

Delaitre, Aurelien ; Okun, Vadim ; Fong, Erin

Author_Institution

Dept. of Comput. Sci. & Electr. Eng., West Virginia Univ., Morgantown, WV, USA

fYear

2013

fDate

18-20 June 2013

Firstpage

163

Lastpage

167

Abstract

The Software Assurance Metrics and Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST) has organized four Static Analysis Tool Expositions (SATE). SATE is designed to advance research in static analysis tools that find security-relevant defects in source code. Briefly, participating tool makers run their tools on a set of programs. Researchers led by NIST analyze the tool outputs. The results and experiences are reported at a workshop. These expositions have accumulated large amounts of data. This collection allowed for the development and validation of practical metrics in regard to static analysis tool effectiveness and independence. In this paper, we discuss the role of the data in determining which metrics can be derived. Specifically, we detail the three characteristics test data should exhibit and explain why the data we use express each combination of two out of these three properties.

Keywords

program diagnostics; software metrics; NIST; National Institute of Standards and Technology; SAMATE; massive static analysis data; software assurance metrics and tool evaluation project; static analysis tool expositions; Conferences; Manuals; Measurement; NIST; Production; Security; Software; security weaknesses; software metrics; static analysis tools; tool effectiveness; tool independence;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Security and Reliability-Companion (SERE-C), 2013 IEEE 7th International Conference on

Conference_Location

Gaithersburg, MD

Print_ISBN

978-1-4799-2924-5

Type

conf

DOI

10.1109/SERE-C.2013.10

Filename

6616339