Securing Java code: heuristics and an evaluation of static analysis tools

Authors:
Michael S. Ware;Christopher J. Fox
Affiliations:
James Madison University, Harrisonburg, VA;James Madison University, Harrisonburg, VA
Venue:
Proceedings of the 2008 workshop on Static analysis
Year:
2008

Citing 15
Cited 2

Securing Java: getting down to business with mobile code

Securing Java: getting down to business with mobile code
Inside Java 2 platform security architecture, API design, and implementation

Inside Java 2 platform security architecture, API design, and implementation
On the criteria to be used in decomposing systems into modules

Communications of the ACM
Effective Java programming language guide

Effective Java programming language guide
Writing Secure Code

Writing Secure Code
Coping with Java Programming Stress

Computer
A Comparison of Bug Finding Tools for Java

ISSRE '04 Proceedings of the 15th International Symposium on Software Reliability Engineering
Finding bugs is easy

ACM SIGPLAN Notices
Introduction to Software Engineering Design: Processes, Principles and Patterns with UML2

Introduction to Software Engineering Design: Processes, Principles and Patterns with UML2
Evaluating static analysis defect warnings on production software

PASTE '07 Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Java Insecurity: Accounting for Subtleties That Can Compromise Code

IEEE Software
An Evaluation of Two Bug Pattern Tools for Java

ICST '08 Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation
Secure programming with static analysis

Secure programming with static analysis
Building Secure Software: How to Avoid Security Problems the Right Way (paperback) (Addison-Wesley Professional Computing Series)

Building Secure Software: How to Avoid Security Problems the Right Way (paperback) (Addison-Wesley Professional Computing Series)
Comparing bug finding tools with reviews and tests

TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems

Towards a unified fault-detection benchmark

Proceedings of the 9th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
A study of android application security

SEC'11 Proceedings of the 20th USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

A secure coding standard for Java does not exist. Even if a standard did exist, it is not known how well static analysis tools could enforce it. In this work, we show how well eight static analysis tools can identify violations of a comprehensive collection of coding heuristics for increasing the quality and security of Java SE code. A new taxonomy for correlating coding heuristics with the design principles they help to achieve is also described. The taxonomy aims to make understanding, applying, and remembering both principles and heuristics easier. A significant number of secure coding violations, some of which make attacks possible, were not identified by any tool. Even if all eight tools were combined into a single tool, more than half of the violations included in the study would not be identified.