Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Static Analyzers: Seat Belts for Your Code

Published

Author(s)

Paul E. Black

Abstract

Just as seat belt use is wide spread, we argue that the use static analysis should be part of ethical software development. We explain some of the procedures of the four Static Analysis Tool Expositions (SATE), and some of the lessons we learned: sophisticated explanation aids and graphical code displays help programmers understand warnings, warnings have value more nuanced than just true or false including context-dependent or quality-related information, bugs are intermingled and diffuse rather than being distinct, and tools find real problems in code. Since security must be designed in, static analysis should be used early in software development to reduce vulnerabilities, or even better, to provide feedback to educate software developer and reinforce good practices, minimizing vulnerable constructs ever getting in the code. To understand static analyzers, we collected thousands of reference programs with documented weaknesses. These are publicly available. Even as industry migrates to languages safer than unconstrained C, which eliminates many possible weaknesses, static analysis can be even more useful to check annotations, guarantees, conditions, and specifications provided by developers.
Citation
IEEE Security & Privacy

Keywords

static analysis, software assurance, SAMATE, SATE
Created April 17, 2020