Testing for Software Security: A Case Study on Static Code Analysis of a File Reader Java Program

2012 ◽  
pp. 529-538
Author(s):  
Natarajan Meghanathan ◽  
Alexander Roy Geoghegan
Keyword(s):  
Software Security ◽  
Code Analysis ◽  
Static Code Analysis ◽  
Java Program

A Case Study on Testing for Software Security

2012 ◽  
pp. 89-112
Author(s):  
Natarajan Meghanathan ◽  
Alexander Roy Geoghegan
Keyword(s):  
Software Security ◽  
Denial Of Service ◽  
Source Code ◽  
Code Analysis ◽  
Software Vulnerabilities ◽  
Static Code Analysis ◽  
Software Program ◽  
Automated Tools ◽  
High Level

The high-level contribution of this book chapter is to illustrate how to conduct static code analysis of a software program and mitigate the vulnerabilities associated with the program. The automated tools used to test for software security are the Source Code Analyzer and Audit Workbench, developed by Fortify, Inc. The first two sections of the chapter are comprised of (i) An introduction to Static Code Analysis and its usefulness in testing for Software Security and (ii) An introduction to the Source Code Analyzer and the Audit Workbench tools and how to use them to conduct static code analysis. The authors then present a detailed case study of static code analysis conducted on a File Reader program (developed in Java) using these automated tools. The specific software vulnerabilities that are discovered, analyzed, and mitigated include: (i) Denial of Service, (ii) System Information Leak, (iii) Unreleased Resource (in the context of Streams), and (iv) Path Manipulation. The authors discuss the potential risk in having each of these vulnerabilities in a software program and provide the solutions (and the Java code) to mitigate these vulnerabilities. The proposed solutions for each of these four vulnerabilities are more generic and could be used to correct such vulnerabilities in software developed in any other programming language.

scholarly journals A Review of Static Code Analysis Methods for Detecting Security Flaws

2021 ◽  
Vol 23 (06) ◽  
pp. 647-653
Author(s):  
bhayakumara S Basutakara ◽  
◽  
Dr. Jayanthi P N ◽  
Keyword(s):  
Development Process ◽  
Data Flow ◽  
Software Security ◽  
Flow Analysis ◽  
Data Flow Analysis ◽  
Code Analysis ◽  
Static Code Analysis ◽  
Wide Range ◽  
Vulnerability Testing ◽  
Early Indication

Static checkers are commonly used by programmers; they verify our programmers for flaws without executing them, a process known as static code analysis. It works with a program that has an early indication of correctness in this way, attempting to avoid well-known traps and problems before comparing it to its specifications. Software security is becoming increasingly crucial in order for programmers to be universally accepted for a wide range of transactions. During the development process, automated code analyzers can be used to detect security flaws. The purpose of this paper is to provide an overview of static code analysis and how it may be used to uncover security flaws. This document summarizes and presents the most recent discoveries and publications. The gains flow, and methods of static code analyzers are discussed in this study. It can be viewed as a stepping stone toward more research in this area. In Java, there are two types of static code checkers: those that work directly on the source code and those that work on the produced bytecode. Although each code checker is unique, they all share some common characteristics. They read the software and build a model of it, an abstract representation that they may use to match the error patterns they notice. They also perform a data-flow analysis, attempting to deduce the probable values of variables at various stages in the program. Vulnerability testing, an increasingly significant field for code checkers, necessitates data-flow analysis.

scholarly journals Automated Code-Smell Detection in Microservices Through Static Analysis: A Case Study

2020 ◽  
Vol 10 (21) ◽  
pp. 7800
Author(s):  
Andrew Walker ◽  
Dipta Das ◽  
Tomas Cerny
Keyword(s):  
Distributed Applications ◽  
Code Smells ◽  
Typical Application ◽  
Code Analysis ◽  
Enterprise Application ◽  
Static Code Analysis ◽  
Code Smell ◽  
Complex Architecture ◽  
Microservice Architecture

Microservice Architecture (MSA) is becoming the predominant direction of new cloud-based applications. There are many advantages to using microservices, but also downsides to using a more complex architecture than a typical monolithic enterprise application. Beyond the normal poor coding practices and code smells of a typical application, microservice-specific code smells are difficult to discover within a distributed application setup. There are many static code analysis tools for monolithic applications, but tools to offer code-smell detection for microservice-based applications are lacking. This paper proposes a new approach to detect code smells in distributed applications based on microservices. We develop an MSANose tool to detect up to eleven different microservice specific code smells and share it as open-source. We demonstrate our tool through a case study on two robust benchmark microservice applications and verify its accuracy. Our results show that it is possible to detect code smells within microservice applications using bytecode and/or source code analysis throughout the development process or even before its deployment to production.

Sign in / Sign up

Export Citation Format

Share Document