| 1. |
- Baca, Dejan
(författare)
-
Identifying Security Relevant Warnings from Static Code Analysis Tools through Code Tainting
- 2010
-
Konferensbidrag (refereegranskat)abstract
- Static code analysis tools are often used by developers as early vulnerability detectors. Due to their automation they are less time-consuming and error-prone then manual reviews. However, they produce large quantities of warnings that developers have to manually examine and understand. In this paper, we look at a solution that makes static code analysis tools more useful as an early vulnerability detector. We use flow-sensitive, interprocedural and context-sensitive data flow analysis to determine the point of user input and its migration through the source code to the actual exploit. By determining a vulnerabilities point of entry we lower the number of warnings a tool produces and we provide the developer with more information why this warning could be a real security threat. We use our approach in three different ways depending on what tool we examined. First,With the commercial static code analysis tool, Coverity, we reanalyze its results and create a set of warnings that are specifically relevant from a security perspective. Secondly, we altered the open source analysis tool Findbugs to only analyze code that has been tainted by user input. Third, we created an own analysis tool that focuses on XSS vulnerabilities in Java code.
|
|
| 2. |
- Baca, Dejan, et al.
(författare)
-
Static Code Analysis to Detect Software Security Vulnerabilities : Does Experience Matter?
- 2009
-
Konferensbidrag (refereegranskat)abstract
- Code reviews with static analysis tools are today recommended by several security development processes. Developers are expected to use the tools' output to detect the security threats they themselves have introduced in the source code. This approach assumes that all developers can correctly identify a warning from a static analysis tool (SAT) as a security threat that needs to be corrected. We have conducted an industry experiment with a state of the art static analysis tool and real vulnerabilities. We have found that average developers do not correctly identify the security warnings and only developers with specific experiences are better than chance in detecting the security vulnerabilities. Specific SAT experience more than doubled the number of correct answers and a combination of security experience and SAT experience almost tripled the number of correct security answers.
|
|
| 3. |
-
Barns röster om våld : att tolka och förstå
- 2008. - 1
-
Samlingsverk (redaktörskap) (övrigt vetenskapligt/konstnärligt)abstract
- Den här boken har två syften. Det första är att utifrån aktuell forskning inom området ge en inblick i kvalitativa, tolkande perspektiv på barn som upplever våld i sin familj. Här är barnens egna röster om sina upplevelser och situation utgångspunkten. Det andra syftet är att ge en grundläggande kunskap om den "nya" barndomssociologin som teori och metod - både i praktiskt arbete med den här gruppen barn samt deras familjer och i forskning.
|
|
| 4. |
|
|
