datasheets.com EBN.com EDN.com EETimes.com Embedded.com PlanetAnalog.com TechOnline.com  
Events
UBM Tech
UBM Tech
Welcome Guest Log In | Register

Making Source Code Analysis Part of the Security Review Process

Authored on: May 3, 2007 by Brian Chess and Jacob West

Technical Paper / Conference Paper

0 0
More InfoLess Info

Tools that assist with security review are fundamentally different from most other kinds of software development tools. But the need for software security rarely creates the kind of urgency that leads a programmer to run a debugger. For this reason, an organization needs to plan out who will conduct security reviews, when the reviews will take place, and what will be done with the results. Static analysis tools should be part of the planning because they can make the review process significantly more efficient. In this chapter, we will explore two perspectives on code review. In the first, we look at the steps involved in performing a single review and the most common problem that review teams run into: debates about exploitability. In the second, we look at the choices an organization needs to make in order to integrate security review (and the accompanying tools) into the software development process. This includes deciding who will run the tool, when they'll run it, and what will happen to the results. We will also look at metrics derived from static analysis results.



Please disable any pop-up blockers for proper viewing of this paper.

0 comments
write a comment

Please Login

You will be redirected to the login page

×

Please Login

You will be redirected to the login page

×

Please Login

You will be redirected to the login page