Improving the Automated Detection and Analysis of Secure Coding Violations

Abstract

Coding errors cause the majority of software vulnerabilities. For example, 64% of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors. The CERT Division's Source Code Analysis Laboratory (SCALe) offers conformance testing of C language software systems against the CERT C Secure Coding Standard and the CERT Oracle Secure Coding Standard for Java, using various analysis tools available from commercial software vendors. Unfortunately, the current SCALe analysis process and tools do not collect any statistics about the accuracy of the code analysis tools or about the coding violations they flag, such as frequency of occurrence. This paper describes the approach used to add the ability to collect and statistically analyze data regarding coding violations and tool characteristics along with the initial results. The collected data will be used over time to improve the effectiveness of the SCALe analysis.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2014
Accession Number
ADA609855

Entities

People

  • Daniel Plakosh
  • David Svoboda
  • David Zubrow
  • Robert Seacord
  • Robert W. Stoddard

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Accuracy
  • Application Software
  • Compilers
  • Computer Programming
  • Computer Programs
  • Databases
  • Detection
  • Engineering
  • Errors
  • Information Science
  • Language
  • Operating Systems
  • Software Development
  • Software Development Tools
  • Standards
  • Statistics
  • Vulnerability

Fields of Study

  • Computer science
  • Engineering

Readers

  • Database Systems and Applications
  • Regression Analysis.
  • Software Engineering.