Secure Programming With Static Analysis

Secure Programming with Static Analysis

The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.

A Static Analysis Technique for the Detection of TOCTTOU Vulnerabilities

A Functioning Code May Not be a Secure Code

Eleanor Roosevelt once said: "Learn from the mistakes of others. You can’t live long enough to make them all yourself". Mistakes are almost inevitable while coding or designing a system. Therefore, patches are created to fix the issues in the code either by a manual review, or through a static analysis tool. Oftentimes, mistakes in programming emanate from lack of skills thus, competence with a particular programming language but negligence also plays a role in other instances. A functioning code that solves a particular problem does not guarantee that the code is secure, hence the code should be structured to meet secure programming guidelines and principles. Most students tend to stop at a functioning code, paying less attention to the security aspects of programming. This has an ultimate impact on the industries where software security gets the priority. Therefore, students should be motivated for practicing secure programming in their academic levels. It will grow their interests in writing professional code from the beginning and raise their values as novel developers to the competing world. How do we bridge the gap between common mistakes made by new developers and professional developers? Strict coding practices must be enforced in academia and an updated database of common errors in programming must be kept as a guide to enrich rookie programmers for the software development industry. New developers also tend to make light of security when writing programs and this becomes a habit that negatively affect software industries. The primary objective of this study is to determine how negligent students are in writing secure code, analyze their complacency and understand the effect it has on new developers in the software development industry. To achieve this objective, two surveys were created. The first survey was to understand students’ views about secure coding and collected code samples from students. The second survey was structured to collect senior managers' view about new developers programmers when they first get started in the programming industry. Codes samples were then analyzed to find frequently occurring common mistakes and then compared students’ common mistakes to Common Vulnerabilities and Exposures database (CWE). Professional developers were also asked about the common mistakes these new developers make to understand what the industry expects from them. The results suggest that students rarely care about security while programming. 60 participants out of 98 focused more on the proper functioning of code as compared to the security aspects of code. About 30% of the participants have never considered the security of a program they developed and 93% of the participants among them intend to pursue a career in a software programming field in the future. Based on these findings, it is essential to strengthen security education at the academic levels so that the students can be conscientious programming professionals. The results of the second survey shows that most managers are concerned about security and expect entry-level programmers to know a thing or two about software security. Close to 90% of managers suggest it will be a good idea for programming students to be knowledgeable about secure programming before they enter the industry.