Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Technical Note

Improving the Automated Detection and Analysis of Secure Coding Violations

  • Abstract

    Coding errors cause the majority of software vulnerabilities. For example, 64% of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors. The CERT Division’s Source Code Analysis Laboratory (SCALe) offers conformance testing of C language software systems against the CERT C Secure Coding Standard and the CERT Oracle Secure Coding Standard for Java, using various analysis tools available from commercial software vendors. Unfortunately, the current SCALe analysis process and tools do not collect any statistics about the accuracy of the code analysis tools or about the coding violations they flag, such as frequency of occurrence. This paper describes the approach used to add the ability to collect and statistically analyze data regarding coding violations and tool characteristics along with the initial results. The collected data will be used over time to improve the effectiveness of the SCALe analysis.

  • Download

Cite This Report

SEI

Plakosh, Daniel; Seacord, Robert; Stoddard, Robert; Svoboda, David; & Zubrow, David. Improving the Automated Detection and Analysis of Secure Coding Violations (CMU/SEI-2014-TN-008). Software Engineering Institute, Carnegie Mellon University, 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=295724

IEEE

Plakosh. Daniel, Seacord. Robert, Stoddard. Robert, Svoboda. David, and Zubrow. David, "Improving the Automated Detection and Analysis of Secure Coding Violations," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2014-TN-008, 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=295724

APA

Plakosh, Daniel., Seacord, Robert., Stoddard, Robert., Svoboda, David., & Zubrow, David. (2014). Improving the Automated Detection and Analysis of Secure Coding Violations (CMU/SEI-2014-TN-008). Retrieved December 21, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=295724

CHI

Daniel Plakosh, Robert Seacord, Robert Stoddard, David Svoboda, & David Zubrow. Improving the Automated Detection and Analysis of Secure Coding Violations (CMU/SEI-2014-TN-008). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=295724

MLA

Plakosh, Daniel., Seacord, Robert., Stoddard, Robert., Svoboda, David., & Zubrow, David. 2014. Improving the Automated Detection and Analysis of Secure Coding Violations (Technical Report CMU/SEI-2014-TN-008). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=295724