Security Code Review with Static Analysis Techniques for the Detection and Remediation of Security Vulnerabilities
1 online resource (203 pages) : PDF
University of North Carolina at Charlotte
Security problems are both a large and growing concern today. Many security breaches are the result of security vulnerabilities introduced during the code construction phase. These vulnerabilities sometimes occur due to poor security training of the developer, and sometimes they are simply created by accident. Static analysis, examination of the application source code with a specialty tool, is the current solution to this problem. Unfortunately, this process produces an extremely large amount of false positives. It also cannot detect application specific issues without custom rules for each application. Consequently, these tools are often used only by security experts or abandoned entirely. In this dissertation, I conduct an interview study of application security experts to gain an understanding of their workflows and the organizational, technical, and communication challenges they face today. From these findings, I introduce tool assisted security code review fed by interactive static analysis and interactive annotation as a solution to detect and remediate greater numbers of vulnerabilities. In this dissertation, I also explore the process, warnings, and collaboration between the various roles of users for this type of tool. Lastly, I provide a set of design guidelines for security code review tools.
APPLICATION SECURITYCODE REVIEWINFORMATION SECURITYSECURITY CODE REVIEWSOFTWARE ENGINEERINGSTATIC ANALYSIS
Wang, WeichaoShehab, MohamedChu, BillChen, Shenen
Thesis (Ph.D.)--University of North Carolina at Charlotte, 2018.
This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s). For additional information, see http://rightsstatements.org/page/InC/1.0/.
Copyright is held by the author unless otherwise indicated.