On the combination of static analysis for software security assessment -- a case study of an open-source e-government project

Anh Nguyen-Duc, Manh Viet Do, Quan Luong Hong, Kiem Nguyen Khac

Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development and security assessment poses various technical and managerial challenges. In this work, we reported a longitudinal case study of adopting SAST as a part of a human-driven security assessment for an open-source e-government project. We described how SASTs are selected, evaluated, and combined into a novel approach for software security assessment. The approach was preliminarily evaluated using semi-structured interviews. Our result shows that while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tool. A combined approach has the potential to aid the security assessment process for open-source software.

Knowledge Graph

arrow_drop_up

Comments

Sign up or login to leave a comment