On the adoption of static analysis for software security assessment–A case study of an open-source e-government project

Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development for security assessment poses various technical and managerial challenges. In this work, we reported results from a cas...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2021-12, Vol.111, p.102470, Article 102470
Main Authors: Nguyen-Duc, Anh, Do, Manh Viet, Luong Hong, Quan, Nguyen Khac, Kiem, Nguyen Quang, Anh
Format: Article
Language:English
Subjects:
Case studies
Combined SAST tools
e-government
Electronic government
empirical study
Experiments
Industrial development
Open source software
Product development
Quality assurance
SAST
Security
Security testing
Software engineering
Software vulnerability
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development for security assessment poses various technical and managerial challenges. In this work, we reported results from a case study of adopting SAST as a part of a human-driven security assessment process in an open-source e-government project. We described how SASTs are selected, evaluated, and combined into a novel approach and adopted by security experts for software security assessment. The approach was preliminarily evaluated using semi-structured interviews. Our results show that while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tools. The combined approach has the potential to aid the security assessment process for open-source software.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2021.102470