Evaluating the Cost Reduction of Static Code Analysis for Software Security

Document type: Conference Papers
Peer reviewed: Yes
Full text:
Author(s): Dejan Baca, Bengt Carlsson, Lars Lundberg
Title: Evaluating the Cost Reduction of Static Code Analysis for Software Security
Conference name: PLAS'08
Year: 2008
ISBN: 978-1-59593-936-4
Publisher: ACM
City: Tucson, Arizona
ISI number: 000265663900008
Organization: Blekinge Institute of Technology
Department: School of Engineering - Dept. of Systems and Software Engineering (Sektionen för teknik – avd. för programvarusystem)
School of Engineering S- 372 25 Ronneby
+46 455 38 50 00
Authors e-mail: dejan.baca@bth.se, bengt.carlsson@bth.se, lars.lundberg@bth.se
Language: English
Abstract: Automated static code analysis is an efficient technique to increase the quality of software during early development. This paper presents a case study in which mature software with known vul-nerabilities is subjected to a static analysis tool. The value of the tool is estimated based on reported failures from customers. An average of 17% cost savings would have been possible if the static analysis tool was used. The tool also had a 30% success rate in detecting known vulnerabilities and at the same time found 59 new vulnerabilities in the three examined products.
Subject: Software Engineering\General
Computer Science\Electronic security
Computer Science\Computersystems
Keywords: Security, Static code analysis, trouble report, early fault detection, code quality improvement, cost reduction, source code, false positive, Coverity Prevent