Black, P.
(2020),
Static Analyzers: Seat Belts for Your Code, IEEE Security & Privacy
(Accessed May 4, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Static Analyzers: Seat Belts for Your Code
Published
Author(s)
Abstract
Just as seat belt use is wide spread, we argue that the use static analysis should be part of ethical software development. We explain some of the procedures of the four Static Analysis Tool Expositions (SATE), and some of the lessons we learned: sophisticated explanation aids and graphical code displays help programmers understand warnings, warnings have value more nuanced than just true or false including context-dependent or quality-related information, bugs are intermingled and diffuse rather than being distinct, and tools find real problems in code. Since security must be designed in, static analysis should be used early in software development to reduce vulnerabilities, or even better, to provide feedback to educate software developer and reinforce good practices, minimizing vulnerable constructs ever getting in the code. To understand static analyzers, we collected thousands of reference programs with documented weaknesses. These are publicly available. Even as industry migrates to languages safer than unconstrained C, which eliminates many possible weaknesses, static analysis can be even more useful to check annotations, guarantees, conditions, and specifications provided by developers.Citation
IEEE Security & Privacy
Pub Type
Journals
Keywords
static analysis, software assurance, SAMATE, SATE
Citation
Created April 17, 2020