Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Automated static code analysis: A tool for early vulnerability detection
Responsible organisation
2009 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Software vulnerabilities are added into programs during its development. Architectural flaws are introduced during planning and design, while implementation faults are created during coding. Penetration testing is often used to detect these vulnerabilities. This approach is expensive because it is performed late in development and any correction would increase lead-time. An alternative would be to detect and correct vulnerabilities in the phase of development where they are the least expensive to correct and detect. Source code audits have often been suggested and used to detect implementations vulnerabilities. However, manual audits are time consuming and require extended expertise to be efficient. A static code analysis tool could achieve the same results as a manual audit but at fraction of the time. Through a set of cases studies and experiments at Ericsson AB, this thesis investigates the technical capabilities and limitations of using a static analysis tool as an early vulnerability detector. The investigation is extended to studying the human factor by examining how the developers interact and use the static analysis tool. The contributions of this thesis include the identification of the tools capabilities so that further security improvements can focus on other types of vulnerabilities. By using static analysis early in development possible cost saving measures are identified. Additionally, the thesis presents the limitations of static code analysis. The most important limitation being the incorrect warnings that are reported by static analysis tools. In addition, a development process overhead was deemed necessary to successfully use static analysis in an industry setting.

Place, publisher, year, edition, pages
Karlskrona: Blekinge Institute of Technology , 2009.
Series
Blekinge Institute of Technology Licentiate Dissertation Series, ISSN 1650-2140 ; 4
National Category
Software Engineering Computer Science
Identifiers
URN: urn:nbn:se:bth-00429Local ID: oai:bth.se:forskinfoE2E0D083F6A2D6A2C125757700303147ISBN: 978-91-7295-161-7 (print)OAI: oai:DiVA.org:bth-00429DiVA: diva2:835934
Available from: 2012-09-18 Created: 2009-03-12 Last updated: 2015-06-30Bibliographically approved

Open Access in DiVA

fulltext(1070 kB)276 downloads
File information
File name FULLTEXT01.pdfFile size 1070 kBChecksum SHA-512
f5717486ede0fd5370c2946aa3f4ab2f29ebc58ccdbfae92320c19954d3fbe5b452487cb21dc3f65e258df0a74dea3178c5c7e4a4f36e77f40b306d0ce0880a2
Type fulltextMimetype application/pdf

Software EngineeringComputer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 276 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 376 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf