Static Analysis Alert Audits: Lexicon & Rules

There is no widely-accepted lexicon or standard set of rules for auditing static analysis alerts in the software engineering community. Auditing rules and a lexicon should guide different auditors to make the same determination for an alert. Standard terms and processes are necessary so that initial determinations are correctly interpreted, which helps organizations reduce code flaws. They are also needed to improve the quality of audit data to benefit research on alert prioritization. This paper provides a suggested set of auditing rules and a lexicon, detailing rationales based on modern software engineering practices for each rule and each lexicon term. Some code examples are provided with the auditing rules. The authors' hope is that this suggested framework will motivate community discussion leading to agreed-upon standards.

[1]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[2]  Sebastian G. Elbaum,et al.  Predicting accurate and actionable static analysis warnings , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[3]  Gabriella Carrozza,et al.  Practical experience and evaluation of continuous code static analysis with C++Test , 2013, JAMAICA 2013.

[4]  David Svoboda,et al.  Improving the Automated Detection and Analysis of Secure Coding Violations , 2014 .

[5]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[6]  Vadim Okun,et al.  Of Massive Static Analysis Data , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[7]  Robert C. Seacord,et al.  The Cert Oracle Secure Coding Standard for Java , 2011 .

[8]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[9]  Jacob West,et al.  Secure Programming with Static Analysis , 2007 .

[10]  Roberto Pietrantuono,et al.  Proceedings of the 2013 International Workshop on Joining AcadeMiA and Industry Contributions to testing Automation , 2013 .

[11]  Junfeng Yang,et al.  Correlation exploitation in error ranking , 2004, SIGSOFT '04/FSE-12.

[12]  Robert C. Seacord The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems , 2014 .

[13]  Sarah Smith Heckman,et al.  A systematic literature review of actionable alert identification techniques for automated static code analysis , 2011, Inf. Softw. Technol..

[14]  Bengt Carlsson,et al.  Software security analysis - execution phase audit , 2005 .

[15]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[16]  Cristina Cifuentes,et al.  Internal Deployment of the Parfait Static Code Analysis Tool at Oracle - (Invited Talk) , 2013, APLAS.