THE EXPERIENCE OF COMPARISON OF STATIC SECURITY CODE ANALYZERS

THE EXPERIENCE OF COMPARISON OF STATIC SECURITY CODE ANALYZERS

This work presents a methodological approach to comparison of static security code analyzers. It substantiates the comparison of the static analyzers as to efficiency and functionality indicators, which are stipulated in the international regulatory documents. The test data for assessment of static...

Full description

Bibliographic Details
Main Authors: Alexey Markov, Andrew Fadin, Vladislav Shvets, Valentin Tsirlov
Format: Article
Language:English
Published: Science and Innovation Center Publishing House 2015-09-01
Series:International Journal of Advanced Studies
Subjects:
information security
software security
static analysis
code vulnerabilities, security weaknesses
undocumented features
program testing
security audit
Online Access:http://journal-s.org/index.php/ijas/article/view/8529
Description
Summary:This work presents a methodological approach to comparison of static security code analyzers. It substantiates the comparison of the static analyzers as to efficiency and functionality indicators, which are stipulated in the international regulatory documents. The test data for assessment of static analyzers efficiency is represented by synthetic sets of open-source software, which contain vulnerabilities. We substantiated certain criteria for quality assessment of the static security code analyzers subject to standards NIST SP 500-268 and SATEC. We carried out experiments that allowed us to assess a number of the Russian proprietary software tools and open-source tools. We came to the conclusion that it is of paramount importance to develop Russian regulatory framework for testing software security (firstly, for controlling undocumented features) and evaluating the quality of static security code analyzers.
ISSN:2328-1391
2227-930X

Similar Items