Security engineering - Developing secure code
I'm currently employed as a researcher at Ericsson AB and Blekinge Institute of Technology, my research topic is the development of secure software in an Agile development process.
In commercial environments, the majority of software subversion vulnerabilities result from a few known kinds of coding defects. Common software defects include buffer overflows, format string vulnerabilities, integer overflow, and code/command injection.
Automated static code analysis - A tool for early vulnerability detection
Papers
Software Security Analysis - Execution Phase Audit
EuroMicro (31:st) 2005 IEEEAbstract:
Code revision of a leading telecom product was performed, combining manual audit and static analysis tools. On average, one exploitable vulnerability was found for every 4000 lines of code. Half of the located threats in the product were buffer overflows followed by race condition, misplaced trust, and poor random generators. Static analysis tools were used to speed up the revision process and to integrate security tests into the overall project process. The discussion analyses the effectiveness of automatic tools for auditing software. Furthermore, the incorporation of the software security analysis into the development process, and the results and costs of the security analysis is discussed. From the initial 42 workdays used for finding all vulnerabilities, approximately 16 days were needed for finding and correcting 91,5 % of the vulnerabilities. So, proportionally small investments improve the program code security by integrating an automatic auditing tool into the ordinary execution of source code revision.
Evaluating the Cost Reduction of Static Code Analysis for Software Security
PLAS (3:rd) 2008 ACMAbstract:
Automated static code analysis is an efficient technique to increase the quality of software during early development. This paper presents a case study in which mature software with known vul-nerabilities is subjected to a static analysis tool. The value of the tool is estimated based on reported failures from customers. An average of 17% cost savings would have been possible if the static analysis tool was used. The tool also had a 30% success rate in detecting known vulnerabilities and at the same time found 59 new vulnerabilities in the three examined products.
Static Code Analysis to Detect Software Security Vulnerabilities: Does Experience Matter?
ARES (4:th) 2009 IEEEAbstract:
Code reviews with static analysis tools are today recommended by several security development processes. Developers are expected to use the tools output to detect the security threats they themselves have introduced in the source code. This approach assumes that all developers can correctly identify a warning from a static analysis tool (SAT) as a security threat that needs to be corrected. We have conducted an industry experiment with a state of the art static analysis tool and real vulnerabilities. We have found that average developers do not correctly identify the security warnings and only developers with specific experiences are better than chance in detecting the security vulnerabilities. Specific SAT experience more than doubled the number of correct answers and, a combination of security experience and SAT experience almost tripled the number of correct security answers.
Journals
Static analysis as a security touch point: An industry case study
Journal (Systems and Software)Abstract:
In this paper, we have studies a company's usage of a static analysis tool. We have observed what types of vulnerabilities the tool detects, how the tool is used and how developers handle the tool. We identifed that the tool is capable in detecting memory related vulnerabilities but few vulnerabilities of other types. The deployment of the tool played an important role in it success as an early vulnerability detector, but also the developers' perception of the tools merit. Classifying the warnings from the tool was actually harder then to correct them and the correction of false positives created in some cases new vulnerabilities in previous safe code. The tools ability to pinpoint vulnerabilities down to the source code line was both strength and a weakness, as developers perceived the warning as simple and unimportant.
Other non-static code analysis research
Papers
Detecting Defects with an Interactive Code Review Tool Based on Visualisation and Machine Learning
SEKE (21:st) 2009 IEEEAbstract:
Code review is often suggested as a means of improving code quality. Since humans are poor at repetitive tasks, some form of tool support is valuable. To that end we developed a prototype tool to illustrate the novel idea of applying machine learning (based on Normalised Compression Distance) to the problem of static analysis of source code. Since this tool learns by example, it is rivially programmer adaptable. As machine learning algorithms are notoriously difficult to understand operationally (they are opaque) we applied information visualisation to the results of the learner. In order to validate the approach we applied the prototype to source code from the open-source project Samba and from an industrial, telecom software system. Our results showed that the tool did indeed correctly find and classify problematic sections of code based on training examples.
The waterfall model in large-scale development
PROFES (10:th) 2009 SpringerAbstract:
Waterfall development is still a widely used way of working in software development companies. Many problems have been reported related to the model. Commonly accepted problems are for example to cope with change and that defects all too often are detected too late in the software development process. However, many of the problems mentioned in literature are based on beliefs and experiences, and not on empirical evidence. To address this research gap, we compare the problems in literature with the results of a case study at Ericsson AB in Sweden, investigating issues in the waterfall model. The case study aims at validating or contradicting the beliefs of what the problems are in waterfall development through empirical research.