Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital

Oyetoyan, Tosin Daniel; Milosheska, Bisera; Grini, Mari; Cruzes, Daniela S.

doi:10.1007/978-3-319-91602-6_6

Cited by 36 publications

(25 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, it was possible to identify a set of conjectures related to security and performance verification based on the analysis of collected information. The conjectures serve as the basis for recommendations in security and performance verification, confirming findings presented in [25] [26]. The results from this study will, also, allow to identify possible technology gaps and challenges and provide feedback to software researchers regarding the alignment of their research with real problems [27].…”

Section: Introductionsupporting

confidence: 76%

“…Additionally, they provide some recommendations for practitioners and researchers towards software testing: the need for more precision on the definition of security needs, the improvement of developers' security knowledge, and the need for lightweight techniques suitable for practical use. From the same research group, Oyetoyan et al [26] present the findings of an action research highlighting the developers' perceptions on using security static analysis tools, also in Norway. Some of the findings are also similar to our results: the high effort to configure the tools, the high number of false positives, and unknown real tools' capability.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Perception of the Practice of Software Security and Performance Verification

Ribeiro¹,

Cruzes²,

Travassos³

2018

2018 25th Australasian Software Engineering Conference (ASWEC)

View full text Add to dashboard Cite

Security and performance are critical nonfunctional requirements for software systems. Thus, it is crucial to include verification activities during software development to identify defects related to such requirements, avoiding their occurrence after release. Software verification, including testing and reviews, encompasses a set of activities that have a purpose of analyzing the software searching for defects. Security and performance verification are activities that look at defects related to these specific quality attributes. Few empirical studies have been focused on how is the state of the practice in security and performance verification. This paper presents the results of a case study performed in the context of Brazilian organizations aiming to characterize security and performance verification practices. Additionally, it provides a set of conjectures indicating recommendations to improve security and performance verification activities.

show abstract

Section: Introductionsupporting

confidence: 76%

Section: Introductionmentioning

confidence: 99%

A Perception of the Practice of Software Security and Performance Verification

Ribeiro¹,

Cruzes²,

Travassos³

2018

2018 25th Australasian Software Engineering Conference (ASWEC)

View full text Add to dashboard Cite

show abstract

“…Programmers and developers work with very short deadlines and are most concerned about delivering functionalities rather than having application security as the primary objective. Hence most software designs forgoe code testing and verification during the development stages [1]. Software defects, or bugs, can cost companies significant amounts of money, especially when they lead to software failure [2].…”

Section: Introductionmentioning

confidence: 99%

Static Analyzers and Potential Future Research Directions for Scala: An Overview

Sajan

Zhang

Cheng

2019

2019 14th International Conference on Computer Science &Amp; Education (ICCSE)

View full text Add to dashboard Cite

Static analyzers are tool-sets which are proving to be indispensable to modern programmers. These enable the programmers to detect possible errors and security defects present in the current code base within the implementation phase of the development cycle; rather than relying on a standalone testing phase. Static analyzers typically highlight possible defects within the 'static' source code and thus does not require the source code to be compiled or executed. The Scala programming language has been gaining wider adoption across various industries in recent years. With such a wide adoption of tools of this nature, this paper presents an overview on the static analysis tools available, both commercial and open-source, for the Scala programming language. This paper discusses in detail about the types of defects that each of these tools can detect, limitations of these tools and also provide potential research direction that can improve the current state of static analyzers for the Scala programming language.

show abstract

“…The richness of the framework has ensured its usefulness for both research and practice. To name a few of the application domains, the CWE framework has been used for security (compliance) assessments [8,9], risk analysis [1,6], quantitative trend analysis [22], data mining [13], static source code analysis [25], dissemination of fuzzing results [15], and last but not least, education and security awareness [16]. Also text mining applications have been common, although there are still gaps in the literature.…”

Section: Introductionmentioning

confidence: 99%

Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses

Ruohonen

Leppänen

2018

Communications in Computer and Information Science

View full text Add to dashboard Cite

This paper presents a preliminary validation of common textual information retrieval techniques for mapping unstructured software vulnerability information to distinct software weaknesses. The validation is carried out with a dataset compiled from four software repositories tracked in the Snyk vulnerability database. According to the results, the information retrieval techniques used perform unsatisfactorily compared to regular expression searches. Although the results vary from a repository to another, the preliminary validation presented indicates that explicit referencing of vulnerability and weakness identifiers is preferable for concrete vulnerability tracking. Such referencing allows the use of keyword-based searches, which currently seem to yield more consistent results compared to information retrieval techniques. Further validation work is required for improving the precision of the techniques, however.

show abstract

Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital

Cited by 36 publications

References 18 publications

A Perception of the Practice of Software Security and Performance Verification

A Perception of the Practice of Software Security and Performance Verification

Static Analyzers and Potential Future Research Directions for Scala: An Overview

Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses

Contact Info

Product

Resources

About