Evaluating the cost reduction of static code analysis for software security

Authors:
Dejan Baca;Bengt Carlsson;Lars Lundberg
Affiliations:
School of Engineering, Blekinge Institute of Technology, Karlskrona, Sweden;School of Engineering, Blekinge Institute of Technology, Ronneby, Sweden;School of Engineering, Blekinge Institute of Technology, Ronneby, Sweden
Venue:
Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security
Year:
2008

Citing 12
Cited 2

A Comprehensive Evaluation of Capture-Recapture Models for Estimating Software Defect Content

IEEE Transactions on Software Engineering
Formal Models for Computer Security

ACM Computing Surveys (CSUR)
Building secure software: how to avoid security problems the right way

Building secure software: how to avoid security problems the right way
A system and language for building system-specific, static analyses

PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Software Engineering Economics

Software Engineering Economics
Software Defect Reduction Top 10 List

Computer
Improving Security Using Extensible Lightweight Static Analysis

IEEE Software
Static Analysis for Security

IEEE Security and Privacy
The Trustworthy Computing Security Development Lifecycle

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
One evaluation of model-based testing and its automation

Proceedings of the 27th international conference on Software engineering
Software Security Analysis - Execution Phase Audit

EUROMICRO '05 Proceedings of the 31st EUROMICRO Conference on Software Engineering and Advanced Applications
Effect of static analysis tools on software security: preliminary investigation

Proceedings of the 2007 ACM workshop on Quality of protection

Agile development with security engineering activities

Proceedings of the 2011 International Conference on Software and Systems Process
Prioritizing countermeasures through the countermeasure method for software security (CM-Sec)

PROFES'10 Proceedings of the 11th international conference on Product-Focused Software Process Improvement

Quantified Score

Hi-index	0.00

Visualization

Abstract

Automated static code analysis is an efficient technique to increase the quality of software during early development. This paper presents a case study in which mature software with known vulnerabilities is subjected to a static analysis tool. The value of the tool is estimated based on reported failures from customers. An average of 17% cost savings would have been possible if the static analysis tool was used. The tool also had a 30% success rate in detecting known vulnerabilities and at the same time found 59 new vulnerabilities in the three examined products.