Static analysis for security

Chess, B.; McGraw, Gary

doi:10.1109/msp.2004.111

Cited by 291 publications

(157 citation statements)

References 7 publications

Supporting

Mentioning

156

Contrasting

Unclassified

Order By: Relevance

“…This testing approach in many cases uses static analysis tools to find code-based defects [6]. There is a range of issues that could be focused by a static analysis tool such as duplications, coding rules, code complexity, unit test coverage, and structural complexity.…”

Section: Background On Software and Security Testingmentioning

confidence: 99%

How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams

Cruzes

Felderer

Oyetoyan

et al. 2017

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

Abstract. Security testing can broadly be described as (1) the testing of security requirements that concerns confidentiality, integrity, availability, authentication, authorization, nonrepudiation and (2) the testing of the software to validate how much it can withstand an attack. Agile testing involves immediately integrating changes into the main system, continuously testing all changes and updating test cases to be able to run a regression test at any time to verify that changes have not broken existing functionality. Software companies have a challenge to systematically apply security testing in their processes nowadays. There is a lack of guidelines in practice as well as empirical studies in real-world projects on agile security testing; industry in general needs a more systematic approach to security. The findings of this research are not surprising, but at the same time are alarming. The lack of knowledge on security by agile teams in general, the large dependency on incidental pen-testers, and the ignorance in static testing for security are indicators that security testing is highly under addressed and that more efforts should be addressed to security testing in agile teams.

show abstract

Section: Background On Software and Security Testingmentioning

confidence: 99%

How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams

Cruzes

Felderer

Oyetoyan

et al. 2017

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

show abstract

“…One attempt to mitigate the hardship of human intervention in security testing utilizes static analysis to automate security vulnerability checking. Over time, several static analysis techniques have been proposed and developed to achieve this goal, including symbolic execution, abstraction interpretation, model checking, integer range analysis, interprocedural analysis, and type inference analysis [32]. Static analysis techniques leverage the fact that programming rules often map clearly to the source code level, thus static inspection can find many of their violations [11].…”

Section: Literature Reviewmentioning

confidence: 99%

Goal-oriented dynamic test generation

Khoo

Fong

et al. 2015

Information and Software Technology

View full text Add to dashboard Cite

“…JFlow compiler [22] statically checks programs for correctness using information flow annotations and formal rules to prevent information leaks through storage channels. The major disadvantage of all the static analysis approaches is that they require a source code, they have some limitations due to undecidability problems [21] and they might report a number of false positives [6].…”

Section: Related Workmentioning

confidence: 99%

Detecting Control Flow in Smarphones: Combining Static and Dynamic Analyses

Graa

Cuppens-Boulahia

Cuppens

et al. 2012

Cyberspace Safety and Security

View full text Add to dashboard Cite

Abstract. Security in embedded systems such as smartphones requires protection of confidential data and applications. Many of security mechanisms use dynamic taint analysis techniques for tracking information flow in software. But these techniques cannot detect control flows that use conditionals to implicitly transfer information from objects to other objects. In particular, malicious applications can bypass Android system and get privacy sensitive information through control flows. We propose an enhancement of dynamic taint analysis that propagates taint along control dependencies by using the static analysis in embedded system such as Google Android operating system. By using this new approach, it becomes possible to protect sensitive information and detect most types of software exploits without reporting too many false positives.

show abstract

Static analysis for security

Cited by 291 publications

References 7 publications

How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams

How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams

Goal-oriented dynamic test generation

Detecting Control Flow in Smarphones: Combining Static and Dynamic Analyses

Contact Info

Product

Resources

About