Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?

Document type: Conference Papers
Peer reviewed: Yes
Author(s): Dejan Baca, Kai Petersen, Bengt Carlsson, Lars Lundberg
Title: Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?
Conference name: International Conference on Availability, Reliability and Security ARES
Year: 2009
Pagination: 804 – 810
Publisher: IEEE Computer Society Press
City: Fukuoka, Japan
URI/DOI: 10.1109/ARES.2009.163
Organization: Blekinge Institute of Technology
Department: School of Computing (Sektionen för datavetenskap och kommunikation)
School of Computing S-371 79 Karlskrona
+46 455 38 50 00
http://www.bth.se/com
Language: English
Abstract: Code reviews with static analysis tools are today recommended by several security development processes. Developers are expected to use the tools' output to detect the security threats they themselves have introduced in the source code. This approach assumes that all developers can correctly identify a warning from a static analysis tool (SAT) as a security threat that needs to be corrected. We have conducted an industry experiment with a state of the art static analysis tool and real vulnerabilities. We have found that average developers do not correctly identify the security warnings and only developers with specific experiences are better than chance in detecting the security vulnerabilities. Specific SAT experience more than doubled the number of correct answers and a combination of security experience and SAT experience almost tripled the number of correct security answers.
Subject: Computer Science\General
Computer Science\Electronic security
Software Engineering\General
Keywords: security, vulnerabilities, static code analysis, coverity, prevent, industry experiment, static analysis, experience, software security
Edit