Tools for Code Review Static Analysis Handles unfinished code

Slides:



Advertisements
Similar presentations
Tutorial 7 Exercises CH12 and CH17.
Advertisements

UPE Drives theme Giovanni Lo Calzo Gaurang Vakil University of Nottingham PEMC Group WP2: Converter Topologies for High Speed Drives Drives Topologies.
Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
An Interactive-Voting Based Map Matching Algorithm
Kai H. Chang COMP 6710 Course NotesSlide ES- 1 Auburn University Computer Science and Software Engineering Course Notes : Examining the Specification Computer.
Effective Design of Trusted Information Systems Luděk Novák,
How many possums and where? The National Possum Model James Shepherd & Mandy Barron.
Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.
Critical Analysis Presentation: T-Drive: Driving Directions based on Taxi Trajectories Authors of Paper: Jing Yuan, Yu Zheng, Chengyang Zhang, Weilei Xie,
August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University.
Simple Source Auditing Tools Roy INSA. Outline FLAWFINDER RATS.
Improving Network Applications Security: a New Heuristic to Generate Stress Testing Data Presented by Conrad Pack Del Grosso et al.
TGDC Meeting, July 2011 Voting System Software Assurance: SAMATE Automated Source Code Conformance Verification Study Michael Kass Computer Scientist,
Evaluating Static Analysis Tools Dr. Paul E. Black
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Expediting Programmer AWAREness of Anomalous Code Sarah E. Smith Laurie Williams Jun Xu November 11, 2005.
Static Analysis for Security Amir Bazine Per Rehnberg.
Problem Solving Methodology
Presented by Heorot.net.  Understand abilities and limitations of code reviews  Identify potentially “bad” code  Identify and use code review tools.
Where Quality Talk is #1. QAP = Quality Assurance Program Transaction entry and approval moved from Business Affairs to Business Centers – Created a need.
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
SE-3910 Real-time Systems Week 8, Class 3 – Announcement(s) – Static Analysis What/Why Tools Examples Coding Standards vs Style Guides How to include SA.
Accounting Automation Solutions. Is Bookkeeping Stressful and Costly? Inaccurate Data Low Productivity Inaccurate Data Low Productivity Storage Cost Resource.
Desktop shipping application Desktop shipping application Web based shipping application Web based shipping application Track and trace web portal Track.
Data Citation Questions Dagstuhl Workshop October /19/2014Enhanced Citation (NSF )
SATE 2010 Analysis Aurélien Delaitre, NIST October 1, 2010 The SAMATE Project
Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.
Static Analysis James Walden Northern Kentucky University.
Software Metrics Cmpe 550 Fall Software Metrics.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
1 Introduction SEARCH-LAB Ltd.. 2 Introduction of SEARCH-LAB SEARCH Laboratory established at the Budapest University of Technology in 1999 SEARCH-LAB.
NIST SAMATE Project and OMG Michael Kass NIST Information Technology Laboratory March 11, 2008.
Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos.
SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),
The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ESSoS: February Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern.
| Secure Software Development | Funke, Pfretzschner, Zulfiqar Integration of Static Code Analysis in Continuous Integration Lifecycles Source:
Static Analysis Introduction Emerson Murphy-Hill.
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation Josh Windsor & Dr. Josh Pauli.
Algorithmic complexity: Speed of algorithms
Computer Scientist, Software and Systems Division, ITL
CSCE 548 Secure Software Development Risk-Based Security Testing
Yves Deswarte Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte RAID’ September.
Charles Wyble UUASC OC 02/11/2008
Chapter 8 – Software Testing
  Performance Pitfalls in Large-Scale Java Applications Translated from COBOL Toshio Suganuma Toshiaki Yasue Tamiya Onodera Toshio Nakatani Presented.
Speaker’s Name, SAP Month 00, 2017
Secure Code Scanners Cameron Davidson.
OWASP Site Generator Refresh
Building the Foundation of Compliance
Depth First Search—Backtracking
Building the Foundation of Compliance
Data Mining Quantitative Values
برنامه‌ريزي منابع انساني
أنماط الإدارة المدرسية وتفويض السلطة الدكتور أشرف الصايغ
Four-Cut: An Approximate Sampling Procedure for Election Audits
مديريت موثر جلسات Running a Meeting that Works
Market Research (Sampling)
Binary Trees: Motivation
Evaluative Research Key Terms Evaluative Research Key Terms.
CSC-682 Advanced Computer Security
C.2.10 Sample Questions.
C.2.8 Sample Questions.
C.2.8 Sample Questions.
Restoration & Monitoring Prioritization Tool
FlawFinder Chris Durham CS297 June 30th, 2005.
Given that {image} {image} Evaluate the limit: {image} Choose the correct answer from the following:
OWASP Application Security Verification Standard
Presentation transcript:

Tools for Code Review Static Analysis Handles unfinished code Can find backdoors Potentially complete Dynamic Analysis Run code Code not needed Has few(er) assumptions Covers end-to-end or system tests

Static Analysis tools Open Source Static Analysis tools Cppcheck, http://cppcheck.sourceforge.net/ Rough Auditing Tool for Security (RATS), https://security.web.cern.ch/security/recommendations/en/codetools/rats.shtml Flawfinder, http://www.dwheeler.com/flawfinder/ Evaluate, based on Efficiency Correctness Speed Understandability of the results

Results and Major Contributions Outcome of students’ evaluation: Flawfinder is most Efficient Cppcheck is most Accurate of all RATS is Fastest and its Results understandability is good

Sample Vulnerabilities SAMATE Reference Dataset (SRD) http://samate.nist.gov/SRD Search for common vulnerabilities Experiment with tools

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.