Static Analysis is not enough: The Role of Architecture and Design in Software Assurance
Walter R. Houser
Static analysis testing of software source code is necessary but not sufficient. Over 40 percent of the Common Weakness Enumeration (CWE) are likely to be introduced in the architecture and design phase of the development life cycle. By their very nature, architecture and design flaws are rarely found during static analysis. Fixes to these errors can be complex and can further compound the problem by injecting additional defects, as well as alert adversaries to the existence of these flaws. Moreover design flaws can obscure the coding bugs that static analysis might otherwise detect, as demonstrated by the Heartbleed vulnerability. This paper describes the techniques architects and designers can employ to prevent flaws in applications before the programmers are tasked with building insecurity in.
Crosstalk (Hill AFB): the Journal of Defense Software Engineering
Static Analysis is not enough: The Role of Architecture and Design in Software Assurance, Crosstalk (Hill AFB): the Journal of Defense Software Engineering, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=916027
(Accessed November 29, 2023)