China
Africa
Explore chapters and articles related to this topic
War of Control Hijacking
Published in Uzzal Sharma, Parmanand Astya, Anupam Baliyan, Salah-ddine Krit, Vishal Jain, Mohammad Zubair Khan, Advancing Computational Intelligence Techniques for Security Systems Design, 2023
Ragini Karwayun, Monika Sainger
Various audit software can be used to test the software for vulnerabilities. Several automated tools are available in the market like Codacy, SonarQube, Coverity, PREfix, PREfast, and many more. Codacy is an automated tool used for code review. It supports more than 40 programming languages like Scala, Java, Ruby, JavaScript, PHP, Python, CoffeeScript, and CSS. SonarQube provides continuous improvement by giving a detailed report about the quality of the source code and highlights the issues found. Coverity performs static analysis of all the possible paths of execution through source code, and detects vulnerabilities caused by the conjunction of independently correct statements. The PREfix tool representatively executes chosen paths through a C/C++ program, and during this process it looks for multiple low-level programming errors, including NULL pointer dereferences, the use of uninitialized memory, double freeing of resources, etc. PREfast analysis is inexpensive, and uses pattern matching in the syntax tree of the C/C++ program to find naive programming mistakes. Other analyses are centered on local dataflow analyses to find uninitialized use of variables, NULL pointer dereferences, etc. [20]. But the major problem with these tools is that they are expansive and exclusively designed for specific software.
Technical debt as an indicator of software security risk: a machine learning approach for software development enterprises
Published in Enterprise Information Systems, 2022
Miltiadis Siavvas, Dimitrios Tsoukalas, Marija Jankovic, Dionysios Kehagias, Dimitrios Tzovaras
SonarQube5 is the world’s leading static analysis platform for continuous inspection of code quality that provides analysis functionalities and a wide range of metrics for measuring quality attributes of code, tests, and design. As of today, it has been adopted by more than 120 K organisations including nearly more than 100 K public open-source projects.6 In this study, SonarQube has been used as proof of concept for research purposes, since according to two recent studies on TD Management (Li, Avgeriou, and Liang 2015; Ampatzoglou et al. 2015), it is the most frequently used tool for estimating TD principal. To do so, SonarQube checks code compliance against a set of classified coding rules and if the code violates any of these rules, it considers it a violation or a TD item. For each of the identified TD items, SonarQube computes the remediation time (i.e. estimated effort) needed to refactor it and considers it as TD. Therefore, in the present work, we opted for the TD-related metrics (computed both on the project- and class-level of granularity) that are provided by SonarQube, as our primary TD indicators to predict software security risk. In fact, SonarQube has been used to statistically analyse the selected 210 software applications (see Section), as well as the 2740 software classes of the OWASP Benchmark (see Section 4.2). A more detailed definition of the selected metrics is provided in Section.