Subscribe
pp:
Paul Black , NIST, Gaithersburg
ABSTRACT
Just as seat belt use is wide spread, we argue that use of a static analyzer should be part of ethical software development. Drawing on our experience with three Static Analysis Tool Expositions (SATE) we show that static analysis report actual vulnerabilities. Even though the expression of most weaknesses is far more complex than a single bug of this type at exactly these lines of code, static analysis tools identify real vulnerabilities. Their information-rich reports and graphical interfaces help developers efficiently and correctly understand weaknesses and possible consequences. Tool's capabilities complement expert analysis. We also collected thousands of engineered reference programs with known weaknesses in the SAMATE Reference Dataset (SRD). Using SATE data and the publicly-available SRD programs, we plan to develop benchmarks so users can be confident about how much assurance the use of static analyzers provides.
INDEX TERMS
D.2.17.h Construction QA, D.2.19.a Quality concepts, D.2.5.a Code inspections and walkthroughs, K.4.1.c Ethics
CITATION
Paul Black, "Static Analyzers: Seat Belts for Your Code", IEEE Security & Privacy, , no. 1, pp. , PrePrints PrePrints, doi:10.1109/MSP.2012.2