Browse > Article
http://dx.doi.org/10.7840/kics.2013.38C.5.420

Validation Test Codes Development of Static Analysis Tool for Secure Software  

Bang, Jiho (홍익대학교 컴퓨터공학과 실시간시스템 연구실)
Ha, Rhan (홍익대학교 컴퓨터공학과 실시간시스템 연구실)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.38C, no.5, 2013 , pp. 420-427 More about this Journal
Abstract
Recently, for secure software development, static analysis tools have been used mostly to analyze the source code of the software and identify software weaknesses caused of vulnerabilities. In order to select the optimal static analysis tool, both weaknesses rules and analysis capabilities of the tool are important factors. Therefore, in this paper we propose the test codes developed for evaluating the rules and analysis capabilities of the tools. The test codes to involve 43 weaknesses such as SQL injection etc. can be used to evaluate the adequacy of the rules and analysis capabilities of the tools.
Keywords
Static Analysis Tool; Weakness; CWE; Test Code; Source Code;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 R. K. McLean, "Comparing static security analysis tools using open source software," in Proc. 6th IEEE Int. Conf. SW Security Reliability Companion (SERE-C), pp. 68-74, Gaithersburg, U.S.A., June 2012.
2 NIST, "Report on the Static Analysis Tool Exposition(SATE) IV," NIST Special Publication 500-297, Jan. 2013.
3 T. Hofer, "Evaluation static source code analysis tools," M.S. Thesis, School Compt. Commun. Sci., Ecole Polytechnique Federale de Lausanne, Mar. 2010.
4 M. Johns and M. Jodeit, "Scanstud: a methodology for systematic, fine-grained evaluation of static analysis tools," in Proc. IEEE 4th ICSTW, pp. 523-530, Berlin, Germany, Mar. 2011.
5 NIST and NSA CAS, Juliet Test Suite for Java and C/C++, Retrieved Sep., 2012, from http://samate.nist.gov/SRD/testsuite.php.
6 MITRE, Common Vulnerabilities and Exposures, Retrieved June, 20, 2012, from http://cve.mitre.org.
7 MOPAS, "Guidelines on building and operating Information Systems," MOPAS Notification No.2012-25, June 2012.
8 T. Boland and P. E. Black, "Juliet 1.1 C/C++ and JAVA test suite," IEEE Computer Soc., pp.88-90, Oct. 2012.
9 MITRE, Comon Weakness Enumeration V2.4, Retrieved Feb., 21, 2013, from http://cwe.mitre.org.
10 J. Bang, R. Ha, J. Park, and P. Kang, "Minimum standard of weakness in development of reliable e-GOV software," in Proc. KICS Int. Conf. Commun. 2012 (KICS ICC 2012), vol. 48, pp.127-128, Jeju Island, Korea, June 2012.
11 J. Bang and R. Ha, "Evaluation Methodology of Diagnostic Tool for Security Weakness of e-GOV Software," J. KICS, vol. 38C, no. 04, pp. 335-343, Apr. 2013.   과학기술학회마을   DOI   ScienceOn
12 P. Li and B. Cui, "A comparative study on software vulnerability static analysis techniques and tools," in Proc. IEEE Int. Conf. Inform. Theory Inform. Security (ICITIS) 2010, pp. 521-524, Beijing, China, Dec. 2010.