Change search
ReferencesLink to record
Permanent link

Direct link
Automated static code analysis: A tool for early vulnerability detection
Responsible organisation
2009 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Software vulnerabilities are added into programs during its development. Architectural flaws are introduced during planning and design, while implementation faults are created during coding. Penetration testing is often used to detect these vulnerabilities. This approach is expensive because it is performed late in development and any correction would increase lead-time. An alternative would be to detect and correct vulnerabilities in the phase of development where they are the least expensive to correct and detect. Source code audits have often been suggested and used to detect implementations vulnerabilities. However, manual audits are time consuming and require extended expertise to be efficient. A static code analysis tool could achieve the same results as a manual audit but at fraction of the time. Through a set of cases studies and experiments at Ericsson AB, this thesis investigates the technical capabilities and limitations of using a static analysis tool as an early vulnerability detector. The investigation is extended to studying the human factor by examining how the developers interact and use the static analysis tool. The contributions of this thesis include the identification of the tools capabilities so that further security improvements can focus on other types of vulnerabilities. By using static analysis early in development possible cost saving measures are identified. Additionally, the thesis presents the limitations of static code analysis. The most important limitation being the incorrect warnings that are reported by static analysis tools. In addition, a development process overhead was deemed necessary to successfully use static analysis in an industry setting.

Place, publisher, year, edition, pages
Karlskrona: Blekinge Institute of Technology , 2009.
Blekinge Institute of Technology Licentiate Dissertation Series, ISSN 1650-2140 ; 4
National Category
Software Engineering Computer Science
URN: urn:nbn:se:bth-00429Local ID: 978-91-7295-161-7 OAI: diva2:835934
Available from: 2012-09-18 Created: 2009-03-12 Last updated: 2015-06-30Bibliographically approved

Open Access in DiVA

fulltext(1070 kB)97 downloads
File information
File name FULLTEXT01.pdfFile size 1070 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Software EngineeringComputer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 97 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 134 hits
ReferencesLink to record
Permanent link

Direct link