Just as seat belt use is wide spread, we argue that the use static analysis should be part of ethical software development. We explain some of the procedures of the four Static Analysis Tool Expositions (SATE), and some of the lessons we learned: sophisticated explanation aids and graphical code displays help programmers understand warnings, warnings have value more nuanced than just true or false including context-dependent or quality-related information, bugs are intermingled and diffuse rather than being distinct, and tools find real problems in code. Since security must be designed in, static analysis should be used early in software development to reduce vulnerabilities, or even better, to provide feedback to educate software developer and reinforce good practices, minimizing vulnerable constructs ever getting in the code. To understand static analyzers, we collected thousands of reference programs with documented weaknesses. These are publicly available. Even as industry migrates to languages safer than unconstrained C, which eliminates many possible weaknesses, static analysis can be even more useful to check annotations, guarantees, conditions, and specifications provided by developers.
IEEE Security & Privacy
static analysis, software assurance, SAMATE, SATE