Professional Documents
Culture Documents
Sunaan Sultan
Ikra Chowdhury Nowkshi
Shahriar Ahmed Siyam
Md. Rayhan Billah
Improving software security with static
automated code analysis in an industry
setting
Dejan Baca, Bengt Carlsson, Kai Petersen and Lars Lundberg
3/3/24 2
Scope
• The paper presents a case study of using a static code analysis tool
(Coverity Prevent) at Ericsson AB, a telecommunication company, to detect
and correct vulnerabilities in four different products developed in C++.
• The authors analyzed how developers classified and corrected the warnings
reported by the SAT tool. They found that many false positives and security
warnings were misclassified or ignored by the SAT, and that some
corrections were harmful or ineffective.
3/3/24 3
Methodology
3/3/24 4
Methodology
Capabilities Evaluation:
• Static analysis findings: Analyzing warnings reported by the tool,
categorizing them into false positives, true positives, and security warnings.
• Bug report comparison: Examining existing bug reports to determine if
static analysis could have prevented them.
Deployment Evaluation:
• Semi-structured interviews: Conducted with project managers and
developers to assess the success of deployment strategies and the
perceived usefulness of the tool.
3/3/24 5
Methodology
3/3/24 6
Results
3/3/24 7
Results
3/3/24 8
Pros & cons
Pros
• Early Detection: SACA helps in early identification of vulnerabilities,
reducing the cost of rework.
• Defect Detection: It is capable of detecting memory-related
vulnerabilities and other types.
• Integration: Suggests integrating the tool with bug reporting systems
for better deployment.
3/3/24 9
Pros & cons
Cons
• False Positives: SACA can generate incorrect warnings, leading to
unnecessary rework.
• Developer Reliance: Success depends on developers’ perception and
classification of tool warnings.
• New Vulnerabilities: Incorrect correction of false positives may
introduce new vulnerabilities.
3/3/24 10
Limitations
• The study cannot make definitive claims about the tool’s inability to
detect certain vulnerabilities because the total population of faults is
unknown. The research only shows what the tool can detect, not
what it misses.
3/3/24 11
A Static Code Analysis Tool for Control
System Software
Stefan Hauck-Stattelmann, Sreeja Nair, Raoul Jetley, and Anil Nair
12
Introduction
Software analysis, or program analysis, aims at automatically determining properties on the behavior
patterns of programs. These analyses are crucial for various purposes such as optimizing compilers,
software verification and validation, and data conversion. They aim to provide reliable and accurate
insights into the dynamic behavior of programs.
13
Objectives
1 2 3
14
System Overview
15
Overview of the Static Analysis Tool
16
Overview of the Static Analysis Tool
• Syntax Analysis: In simpler terms, the parser is like a translator that reads and understands the
code written in ST and FBD languages, helping the static analysis tool to effectively analyze
control system applications.
• Semantic Analysis: the tool checks the code to make sure that the data used in it is used
correctly, and it does this by giving each part of the code a specific datatype and then checking if
any rules are broken.
17
Overview of the Static Analysis Tool
18
Prototype Implementation
19
Preliminary Result
The prototype implementation of the static analysis tool was used to check control code used in a paper
manufacturing factory. The presented prototype tool has been successfully applied and reports 103
issues.
20
Code Quality Improvement for All:
Automated Refactoring
Peeratham Techapalokul and Eli Tilevich
Introduction
Introduce four new Scratch refactorings: Extract Custom Block, Extract Parent Sprite,
Extract Constant, Reduce Variable Scope.
Implement automated refactoring to remove highly recurring Scratch code smells.
Scope
Introducing automated refactoring to Scratch boosts code quality by integrating advanced program
analysis and transformation capabilities. These enhancements not only elevate code quality metrics but
also inspire programmers to refine their code. By eliminating repetitive code smells from Scratch
projects, it significantly enhances overall code quality.
We plan to investigate further how novice programmers interact with the refactoring tools as part of the
overall programming process
Result
Introduced refactorings improve code quality metrics in Scratch projects. Refactoring tools
motivate programmers to enhance code quality.
Conclusion