Abstract
As part of an overall initiative to improve the security aspects in the software used in Motorola's products, training and secure coding standards were developed. The goal is to decrease the number of security vulnerabilities introduced during the coding phase of the software development process. This paper describes the creation of the secure coding standards and the efforts to automate as many of the standards as possible.
Originally, the efforts focused on the Inforce tool from Klocwork, as many Motorola business units already used the tool for quality but without the security flags activated. This paper describes the efforts to evaluate, extend, and create the coverage for the secure coding standards with Klocwork. More recently, an opportunity arose which allowed a team to evaluate other static analysis tools as well. This paper also describes the findings from that evaluation.
- Kratkiewicz, K. J. (May, 2005). Diagnostic Test Suite for Evaluating Buffer Overflow Detection Tools -- the companion test suite for "Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code. Retrieved September 11, 2007 from http://www.ll.mit.edu/IST/pubs/KratkiewiczThesis.pdfGoogle Scholar
- Howard, M., and LeBlanc, D. (2003). Writing Secure Code. Redmond, Washington: Microsoft Press. Google Scholar
Digital Library
- Wikipedia (N.D.) Definition of Memory Leak. Retrieved September 11, 2007 from <http://en.wikipedia.org/wiki/Memory_leak>Google Scholar
- Software Diagnotics and Conformance Testing Division. (July 2005,) SAMATE- Software Assurance Metrics and Tool Evaluation. Retrieved September 11, 2007 from http://samate.nist.gov/index.php/Main_PageGoogle Scholar
Index Terms
Static analysis tools for security checking in code at Motorola
Recommendations
Comparing Static Security Analysis Tools Using Open Source Software
SERE-C '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and Reliability CompanionSoftware vulnerabilities present a significant impediment to the safe operation of many computer applications, both proprietary and open source. Fortunately, many static analysis tools exist to identify potential security issues. We present the results ...
Quantifying developers' adoption of security tools
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringSecurity tools could help developers find critical vulnerabilities, yet such tools remain underused. We surveyed developers from 14 companies and 5 mailing lists about their reasons for using and not using security tools. The resulting thirty-nine ...
Questions developers ask while diagnosing potential security vulnerabilities with static analysis
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringSecurity tools can help developers answer questions about potential vulnerabilities in their code. A better understanding of the types of questions asked by developers may help toolsmiths design more effective tools. In this paper, we describe how we ...






Comments