NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Static Analyzers: Seat Belts for Your Code

Published

Author(s)

Paul Black

Abstract

Just as seat belt use is wide spread, we argue that the use static analysis should be part of ethical software development. We explain some of the procedures of the four Static Analysis Tool Expositions (SATE), and some of the lessons we learned: sophisticated explanation aids and graphical code displays help programmers understand warnings, warnings have value more nuanced than just true or false including context-dependent or quality-related information, bugs are intermingled and diffuse rather than being distinct, and tools find real problems in code. Since security must be designed in, static analysis should be used early in software development to reduce vulnerabilities, or even better, to provide feedback to educate software developer and reinforce good practices, minimizing vulnerable constructs ever getting in the code. To understand static analyzers, we collected thousands of reference programs with documented weaknesses. These are publicly available. Even as industry migrates to languages safer than unconstrained C, which eliminates many possible weaknesses, static analysis can be even more useful to check annotations, guarantees, conditions, and specifications provided by developers.
Citation
IEEE Security & Privacy
Pub Type
Journals

Download Paper

Local Download

Keywords

static analysis, software assurance, SAMATE, SATE
Software testing and Software research

Citation

Black, P. (2012), Static Analyzers: Seat Belts for Your Code, IEEE Security & Privacy, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=910409 (Accessed October 13, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created January 10, 2012, Updated September 29, 2025
Was this page helpful?