Content deleted Content added
Constentini (talk | contribs) Clarified the reference to static program analysis |
Altered template type. Add: chapter-url, isbn, chapter, title. Removed or converted URL. | Use this tool. Report bugs. | #UCB_Gadget |
||
Line 5:
A SAST tool scans the source code of applications and its components to identify potential security vulnerabilities in their software and architecture.
Static analysis tools can detect an estimated 50% of existing security vulnerabilities.<ref>
{{Cite
|last1=Okun|first1=V.
|last2=Guthrie|first2=W. F.
|last3=Gaucher|first3=H.
|last4=Black|first4=P. E.
|
|s2cid=6663970
|date=October 2007
▲|journal=Proceedings of the 2007 ACM Workshop on Quality of Protection
|pages=1–5
|publisher=ACM
|doi=10.1145/1314257.1314260
|isbn=978-1-59593-885-5
|chapter-url=https://samate.nist.gov/docs/SA_tool_effect_QoP.pdf
}}</ref>
Line 36 ⟶ 37:
|publisher=IEEE
|doi=10.1109/MS.2008.130
}}</ref> even if the many resulting [[False positives and false negatives#False positive error|false-positive]] impede its adoption by developers<ref name="ReferenceA">{{Cite
|last1=Johnson|first1=Brittany
|last2=Song|first2=Yooki
|last3=Murphy-Hill|first3=Emerson
|last4=Bowdidge|first4=Robert
|
|date=May 2013
▲|title= Why don't software developers use static analysis tools to find bug
▲|journal=ICSE '13 Proceedings of the 2013 International Conference on Software Engineering
|pages=672–681
|doi=10.1109/ICSE.2013.6606613
|isbn=978-1-4673-3076-3
}}</ref>
Line 212 ⟶ 214:
}}</ref>
SAST tools run automatically, either at the code level or application-level and do not require interaction. When integrated into a CI/CD context, SAST tools can be used to automatically stop the integration process if critical vulnerabilities are identified.<ref>
{{Cite
|last1=Okun|first1=V.
|last2=Guthrie|first2=W. F.
|last3=Gaucher|first3=H.
|last4=Black|first4=P. E.
▲|
|s2cid=6663970
|date=October 2007
▲|title= Effect of static analysis tools on software security: preliminary investigation
▲|journal=Proceedings of the 2007 ACM Workshop on Quality of Protection
|pages=1–5
|publisher=ACM
|doi=10.1145/1314257.1314260
|isbn=978-1-59593-885-5
|chapter-url=https://samate.nist.gov/docs/SA_tool_effect_QoP.pdf
}}</ref>
Line 248 ⟶ 251:
==SAST weaknesses==
Even though developers are positive about the usage of SAST tools, there are different challenges to the adoption of SAST tools by developers.<ref name="auto"/> The usability of the output generated by these tools may challenge how much developers can make use of these tools. Research shows that despite the long out generated by these tools, they may lack usability.<ref>{{cite book |last1=Tahaei |first1=Mohammad |last2=Vaniea |first2=Kami |last3=Beznosov |first3=Konstantin (Kosta) |last4=Wolters |first4=Maria K |title=Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems |chapter=Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them |date=6 May 2021 |pages=1–17 |doi=10.1145/3411764.3445616|isbn=9781450380966 |s2cid=233987670 |url=https://www.research.ed.ac.uk/en/publications/e1bc04ef-ae83-4e82-8ade-ca572bc503d2 }}</ref>
With Agile Processes in software development, early integration of SAST generates many bugs, as developers using this framework focus first on features and delivery.<ref>
| |||