Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?

Code reviews with static analysis tools are today recommended by several security development processes. Developers are expected to use the tools' output to detect the security threats they themselves have introduced in the source code. This approach assumes that all developers can correctly identify a warning from a static analysis tool (SAT) as a security threat that needs to be corrected. We have conducted an industry experiment with a state of the art static analysis tool and real vulnerabilities. We have found that average developers do not correctly identify the security warnings and only developers with specific experiences are better than chance in detecting the security vulnerabilities. Specific SAT experience more than doubled the number of correct answers and a combination of security experience and SAT experience almost tripled the number of correct security answers.

[1]  De WinBart,et al.  On the secure software development process , 2009 .

[2]  Ulf Nilsson,et al.  A Comparative Study of Industrial Static Analysis Tools , 2008, SSV.

[3]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[4]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[5]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[6]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[7]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[8]  Laurie A. Williams,et al.  On the value of static analysis for fault detection in software , 2006, IEEE Transactions on Software Engineering.

[9]  Pascale Thévenod-Fosse,et al.  Software error analysis: a real case study involving real faults and mutations , 1996, ISSTA '96.

[10]  Barry Boehm,et al.  Top 10 list [software development] , 2001 .

[11]  Dawson R. Engler,et al.  Uprooting Software Defects at the Source , 2003, ACM Queue.

[12]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[13]  Nancy R. Mead,et al.  A Portal for Software Security , 2005, IEEE Secur. Priv..

[14]  Manfred Broy,et al.  Software Pioneers: Contributions to Software Engineering , 2002 .

[15]  Úlfar Erlingsson,et al.  Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security , 2008, PLDI 2008.

[16]  Lars Lundberg,et al.  Evaluating the cost reduction of static code analysis for software security , 2008, PLAS '08.

[17]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[18]  Russell J. Clark,et al.  Security issues with the IP multimedia subsystem (IMS) , 2007, MNCNA '07.

[19]  Claes Wohlin,et al.  Faults-slip-through - a concept for measuring the efficiency of the test process , 2006, Softw. Process. Improv. Pract..