search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Improving the Automated Detection and Analysis of Secure Coding Violations

Technical Note
By
This technical note describes the accuracy analysis of the Source Code Analysis Laboratory (SCALe) tools and the characteristics of flagged coding violations.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2014-TN-008
DOI (Digital Object Identifier)
10.1184/R1/6574265.v1
Subjects

Abstract

Coding errors cause the majority of software vulnerabilities. For example, 64% of the nearly 2,500 vulnerabilities in the National Vulnerability Database in 2004 were caused by programming errors. The CERT Division’s Source Code Analysis Laboratory (SCALe) offers conformance testing of C language software systems against the CERT C Secure Coding Standard and the CERT Oracle Secure Coding Standard for Java, using various analysis tools available from commercial software vendors. Unfortunately, the current SCALe analysis process and tools do not collect any statistics about the accuracy of the code analysis tools or about the coding violations they flag, such as frequency of occurrence. This paper describes the approach used to add the ability to collect and statistically analyze data regarding coding violations and tool characteristics along with the initial results. The collected data will be used over time to improve the effectiveness of the SCALe analysis.

SHARE
Download PDF
Part of a Collection

SCALe Collection
Cite This Technical Note

Plakosh, D., Seacord, R., Stoddard, R., Svoboda, D., & Zubrow, D. (2014, June 27). Improving the Automated Detection and Analysis of Secure Coding Violations. (Technical Note CMU/SEI-2014-TN-008). Retrieved April 18, 2024, from https://doi.org/10.1184/R1/6574265.v1.

@techreport{plakosh_2014,
author={Plakosh, Daniel and Seacord, Robert and Stoddard, Robert and Svoboda, David and Zubrow, David},
title={Improving the Automated Detection and Analysis of Secure Coding Violations},
month={Jun},
year={2014},
number={CMU/SEI-2014-TN-008},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6574265.v1},
note={Accessed: 2024-Apr-18}
}

Plakosh, Daniel, Robert Seacord, Robert Stoddard, David Svoboda, and David Zubrow. "Improving the Automated Detection and Analysis of Secure Coding Violations." (CMU/SEI-2014-TN-008). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, June 27, 2014. https://doi.org/10.1184/R1/6574265.v1.

D. Plakosh, R. Seacord, R. Stoddard, D. Svoboda, and D. Zubrow, "Improving the Automated Detection and Analysis of Secure Coding Violations," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2014-TN-008, 27-Jun-2014 [Online]. Available: https://doi.org/10.1184/R1/6574265.v1. [Accessed: 18-Apr-2024].

Plakosh, Daniel, Robert Seacord, Robert Stoddard, David Svoboda, and David Zubrow. "Improving the Automated Detection and Analysis of Secure Coding Violations." (Technical Note CMU/SEI-2014-TN-008). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 27 Jun. 2014. https://doi.org/10.1184/R1/6574265.v1. Accessed 18 Apr. 2024.

Plakosh, Daniel; Seacord, Robert; Stoddard, Robert; Svoboda, David; & Zubrow, David. Improving the Automated Detection and Analysis of Secure Coding Violations. CMU/SEI-2014-TN-008. Software Engineering Institute. 2014. https://doi.org/10.1184/R1/6574265.v1

Ask a question about this Technical Note