19 Deadly Sins of Software Security
19 Deadly Sins of Software Security
On the Value of Static Analysis for Fault Detection in Software
IEEE Transactions on Software Engineering
A few billion lines of code later: using static analysis to find bugs in the real world
Communications of the ACM
One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques
ESEM '11 Proceedings of the 2011 International Symposium on Empirical Software Engineering and Measurement
Hi-index | 0.00 |
Static code analysis is an emerging technique for secure software development that analyzes large software code bases without execution to reveal potential vulnerabilities present in the code. These vulnerabilities include but are not limited to SQL injections, buffer overflows, cross site scripting, improper security settings, and information leakage. Software developers can spend many man-hours to track and fix the flagged vulnerabilities. Surveys show that a high percentage of discovered vulnerabilities are actually false positives. This paper presents a case study that found that context information regarding libraries could account for many of the false positives. We suggest future research incorporate context information into static analysis tools for security.