Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Static Analysis is not enough: The Role of Architecture and Design in Software Assurance

Published

Author(s)

Walter R. Houser

Abstract

Static analysis testing of software source code is necessary but not sufficient. Over 40 percent of the Common Weakness Enumeration (CWE) are likely to be introduced in the architecture and design phase of the development life cycle. By their very nature, architecture and design flaws are rarely found during static analysis. Fixes to these errors can be complex and can further compound the problem by injecting additional defects, as well as alert adversaries to the existence of these flaws. Moreover design flaws can obscure the coding bugs that static analysis might otherwise detect, as demonstrated by the Heartbleed vulnerability. This paper describes the techniques architects and designers can employ to prevent flaws in applications before the programmers are tasked with building insecurity in.
Citation
Crosstalk (Hill AFB): the Journal of Defense Software Engineering
Volume
27

Keywords

Static Analysis, Software Architecture, Software Design, Software Assurance, flaws, bugs, software vulnerabilities, software weaknesses, Common Weakness Enumeration (CWE)

Citation

Houser, W. (2014), Static Analysis is not enough: The Role of Architecture and Design in Software Assurance, Crosstalk (Hill AFB): the Journal of Defense Software Engineering, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=916027 (Accessed May 28, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created December 1, 2014, Updated February 19, 2017