Revision as of 08:03, 18 December 2020 edit 122.175.103.210 (talk) removed .tv after 1998 ← Previous edit		Revision as of 08:52, 15 January 2021 edit undo Yobot (talk \| contribs) Bots 4,733,870 edits m References after punctuation per WP:REFPUNCT, WP:CITEFOOT, WP:PAIC + other fixes Tag: AWB Next edit →
Line 17: \|doi=10.1145/1314257.1314260 \|url=https://samate.nist.gov/docs/SA_tool_effect_QoP.pdf }}</ref>. In [[Software development process\|SDLC]], SAST is performed early in the development process and at code level, and also when all pieces of code and components are put together in a consistent testing environment. SAST is also used for software quality assurance.<ref> Line 35: \|publisher=IEEE \|doi=10.1109/MS.2008.130 }} </ref> even if the many resulting [[~~False_positives_and_false_negatives~~False positives and false negatives#~~False_positive_error~~False positive error\|false-positive]] impede its adoption by developers<ref name="ReferenceA">{{Cite journal ~~{{Cite journal~~ \|last1=Johnson\|first1=Brittany \|last2=Song\|first2=Yooki Line 46 ⟶ 45: \|pages=672–681 \|isbn=978-1-4673-3076-3 }}</ref> ~~</ref>~~ SAST tools are integrated into the development process to help development teams as they are primarily focusing on developing and delivering software respecting requested specifications.<ref name="auto"> {{Cite journal \|last1=Oyetoyan\|first1=Tosin Daniel Line 59 ⟶ 57: \|pages=86–103 \|publisher=Springer }}</ref>. SAST tools, like other security tools, focus on reducing the risk of downtime of applications or that private information stored in applications will not be compromised. Line 81 ⟶ 79: \|doi=10.1109/COMPSAC.2018.00139 \|isbn=978-1-5386-2666-5 }}</ref>. Static analysis tools examine the text of a program syntactically. They look for a fixed set of patterns or rules in the source code. Theoretically, they can also examine a compiled form of the software. This technique relies on [[instrumentation]] of the code to do the mapping between compiled components and source code components to identify issues. Static analysis can be done manually as a [[~~Code review\|~~code review]] or [[Software audit review\|auditing]] of the code for different purposes, including security, but it is time-consuming.<ref> {{Cite journal \|last1=Chess\|first1=B. Line 159 ⟶ 157: \|doi=10.1201/1078.10580530/46108.23.3.20060601/93704.3 }}</ref> Following the flow of data between all the components of an application or group of applications allows validation of required calls to dedicated procedures for [[~~Code_injection~~Code injection#~~Preventing_problems~~Preventing problems\|sanitization]] and that proper actions are taken to taint data in specific pieces of code.<ref> {{Cite journal \|last1=Livshits\|first1=V.B. Line 260 ⟶ 258: }}</ref> Scanning many lines of code with SAST tools may result in hundreds or thousands of vulnerability warnings for a single application. It generates many false-positives, increasing investigation time and reducing trust in such tools. This is particularly the case when the context of the vulnerability cannot be caught by the tool<ref name="ReferenceA"/> ~~{{Cite journal~~ ~~\|last1=Johnson\|first1=Brittany~~ ~~\|last2=Song\|first2=Yooki~~ ~~\|last3=Murphy-Hill\|first3=Emerson~~ ~~\|last4=Bowdidge\|first4=Robert~~ ~~\|date=May 2013~~ ~~\|title= Why don't software developers use static analysis tools to find bug~~ ~~\|journal=ICSE '13 Proceedings of the 2013 International Conference on Software Engineering~~ ~~\|pages=672–681~~ ~~\|isbn=978-1-4673-3076-3~~ ~~}}</ref>~~ ==References== {{reflist}} {{Improve categories\|date=July 2020}}▼ [[Category:Software]] Line 280 ⟶ 269: [[Category:Static program analysis\| ]] [[Category:Program analysis]] ▲{{Improve categories\|date=July 2020}} [[Category:Software development process]] [[Category:Agile software development]]

Static application security testing: Difference between revisions