05.03.2015 | Secure Software Development | Funke, Pfretzschner, Zulfiqar Integration of Static Code Analysis in Continuous Integration Lifecycles Source:

Slides:



Advertisements
Similar presentations
Top 10 User Mistakes with Static Analysis Sate IV March 2012.
Advertisements

Summer Student presentation Changing Dashboard build system to Bamboo Robert Varga IT/SDC
Building ontologies using Jenkins. Changing requirements for ontology engineering Original ontology build pipeline – What pipeline? – Life on the bleeding.
Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.
Chapter 22 UML Tooks and UML as Blueprint Model-Driven Architecture (MDA) Object-Constraint Language (OCL)
Static code check – Klocwork
Marcel de Vries Microsoft MVP and CTO Xpirit SonarQube Community Very important is to support SonarQube tooling for.NET. SonarQube.
Run Run Shaw Library of CityU By CyberFarm2000 (Janice, Winter and Frank)
Cruise Training Introduction of Cruise. What you’ll learn Cruise features Pipeline workflows Zero-configuration build grid Parallelization Usability-driven.
Software Testing Levels Philippe CHARMAN Last update:
Software Testing Introduction. Agenda Software Testing Definition Software Testing Objectives Software Testing Strategies Software Test Classifications.
1 Software Reuse in Eclipse Kellie-Ann Smith Norgye Yuanyuan Song Xiang Yin Jia Xu.
ISSRE 2006 | November 10, 2006 Automated Adaptive Ranking and Filtering of Static Analysis Alerts Sarah Heckman Laurie Williams November 10, 2006.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Continous architecture analysis in 3D. 2 Stefan Rinderle Kontinuierliche Architekturanalyse in 3D ○ Bachelor an der HS Karlsruhe ○ Master "Software Engineering"
Expediting Programmer AWAREness of Anomalous Code Sarah E. Smith Laurie Williams Jun Xu November 11, 2005.
Test Design Techniques
Providing a Software Quality Framework for Testing of Mobile Applications Dominik Franke and Carsten Weise RWTH Achen University Embedded Software Laboratory.
CSCE 548 Secure Software Development Risk-Based Security Testing.
Continuous Integration with TeamCity Adrian Ritchie BSc, MBCS Guernsey Software Developer Forum
Eclipse Overview Introduction to Web Programming Kirkwood Continuing Education Fred McClurg © Copyright 2015, Fred McClurg, All Rights Reserved.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Introduction Telerik Software Academy Software Quality Assurance.
XML in Development of Distributed Systems Tooling Programming Runtime.
Multimedia Specification Design and Production 2013 / Semester 1 / week 9 Lecturer: Dr. Nikos Gazepidis
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
1 SEG4912 University of Ottawa by Jason Kealey Software Engineering Capstone Project Tools and Technologies.
T Project Review TeXlipse [I2] Iteration
Software for economic concrete design Efficient Analysis with the Strand7 API Doug Jenkins - Interactive Design Services.
Aspect Mining Eclipse Plug-in Provide the integrated aspect mining environment in the Eclipse IDE. Consists of the following functional components –Flexible.
Guide to Programming with Python Chapter One Getting Started: The Game Over Program.
This chapter is extracted from Sommerville’s slides. Textbook chapter
Development Tools © Copyright 2014, Fred McClurg All Rights Reserved.
Continous Integration & Continous Deployment - For the new nameserver infrastructures of DENIC eG 15/10/03 – Christian Petrasch
Blending Automated and Manual Testing Making Application Vulnerability Management Pay Dividends.
1© Nokia Siemens Networks Presentation / Author / Date For internal use T Better Code Faster - Next Generation Java Continuous Integration Environment.
Isolated Database Environments Kevin Howell February 2014.
Software Quality assurance SQA – SWE 333
The Spoofax Language Workbench Rules for Declarative specification of language and IDEs Lennart C. L. Kats and Eelco Visser Delft University of Technology.
Aspect Oriented Security Tim Hollebeek, Ph.D.
Copyright 2015, Robert W. Hasker. Continuous Inspection  Code reviews  Powerful tool  Difficult to ensure meaningful reviews take place  Static analysis.
ParaQ Usability ParaQ Summit II March 14, 2006 Matthew Wong, SNL/CA.
Testing plan outline Adam Leko Hans Sherburne HCS Research Laboratory University of Florida.
Prepared by: Hussein Alhashimi.  which of the following is quality assurance and which is quality control:  Project quality plan Quality Assurance 
Cruise Training Introduction of Continuous Integration.
Static Analysis Introduction Emerson Murphy-Hill.
MAY 19 th 2016 Jovan Poljački
© Chinese University, CSE Dept. Software Engineering / Software Engineering Topic 1: Software Engineering: A Preview Your Name: ____________________.
Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation Josh Windsor & Dr. Josh Pauli.
SOFTWARE TESTING TRAINING TOOLS SUPPORT FOR SOFTWARE TESTING Chapter 6 immaculateres 1.
Don’t Forget Security When Delivering Software
Open-O Integration Project Introduction
ONAP security meeting
CSCE 548 Secure Software Development Risk-Based Security Testing
Modern “Servlet” Development
Infrastructure Orchestration to Optimize Testing
Self Healing and Dynamic Construction Framework:
SonarQube and Sonatype Nexus IQ Server
Trends like agile development and continuous integration speak to the modern enterprise’s need to build software hyper-efficiently Jenkins:  a highly.
An Intro to ALM Using TFS and Visual Studio for Source Control, Build Automation, Continuous Integration and Deployments.
Mike Rogers Director of Development, Reflection 2007
Business Rule Based Configuration Management and Software System Implementation Using Decision Tables Olegas Vasilecas, Aidas Smaizys VGTU, Vilnius, Lithuania.
Metrics for SmartApps
Introduction to Software Testing
Simplified Development Toolkit
Computer Fundamentals
Continuous Integration Tool
How to build your Integrated
Testing and Inspection Present and Future
Objectives. Objectives Objectives Content Configure Microsoft Azure monitor.
Presentation transcript:

| Secure Software Development | Funke, Pfretzschner, Zulfiqar Integration of Static Code Analysis in Continuous Integration Lifecycles Source: Brian Pfretzschner Sebastian Funke Hamza Zulfiqar

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 2 Why Static Code Analysis? Static Code Analysis is your personal (security) code auditor! Code Auto Analysis Code Review Solid Software

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 3 Research questions 1. Where to apply static code analysis in software development processes? 2. How usable is the integration of popular Open Source static code analysers? 3. How usable are the reporting capabilities of popular Open Source static code analysers?

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 4 Where to apply static code analysis? Directly in IDEs (e.g. Eclipse) In Continous Integration (CI) systems (e.g. Jenkins) External Code Quality Management (CQM) tools (e.g. SonarQube)

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 5 Usability Evaluation of Static Code Analysis Integration Evaluation Method: Cognitive Walkthough with usability inspection 1.Prepare Analysis 2.Run Analysis 3.Evaluate Analysis results 4.Manage results Usability questions in every walkthrough stage

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 6 Evaluated Tools IDE: Eclipse CI: Jenkins CI: TeamCity CQM: SonarQube juno/Eclipse_Icon_by_flosweb.png

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 7 Comparison Results

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 8 Conclusion Open Source analysers lack multi-language support Analysers customization (Rules) hard to accomplish Analysis in IDE not efficient, central, easy to manage Analysis in CI tools hard to configure Reporting capabilities of analysers in CI not usable  External Code Quality Management tools do the job Good idea to use many analysers  BUT: many duplicate findings  Future approach: Tool to filter duplicates and false positives

| Secure Software Development | Funke, Pfretzschner, Zulfiqar | 9 Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.