« Previous 1 2 3 4
Static code analysis finds avoidable errors
At the Source
Virtue out of Necessity
If you want to get used to a thorough and clean programming style, going with Splint is undoubtedly a good idea – you will be in good company. Developers who also want to investigate every false positive thoroughly will find RATS a helpful companion.
In all cases, the results are important: enforcing quality assurance; rethinking and relearning from the constant, unyielding criticism of the check tools; and ensuring low-security-risk software. OpenBSD shows that static code analysis, reviews, and coding standards can make secure programming a reality, as evidenced by just two remotely exploitable security vulnerabilities in 20 years.
Infos
- Anderson, James P. Computer Security Technology Planning Study. Bedford (MA): Deputy for Command and Management Systems HQ Electronic Systems Division (AFSC), Technical Report ESD-TR-73-51, Vol. II, October 1972, https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ande72.pdf
- "NT Web Technology Vulnerabilities" by rain.forest.puppy, Phrack Magazine , volume 8, issue 54, December 25, 1998, article 8, http://phrack.org/issues/54/8.html#article
- "Embedded Coding Standard" by Barr Group: https://barrgroup.com/Embedded-Systems/Books/Embedded-C-Coding-Standard/Introduction
- Uncrustify: http://uncrustify.sourceforge.net
- JSLint: http://www.jslint.com
- JavaScript tutorials: https://wiki.selfhtml.org/wiki/JavaScript/Tutorials/Einstieg/Einbindung_in_HTML
- JavaScript strings: https://www.w3schools.com/js/js_strings.asp
- CC BY-SA 3.0: https://creativecommons.org/licenses/by-sa/3.0/
- Splint: http://splint.org
- Hoare, C.A.R. An axiomatic basis for computer programming. Communications of the ACM , 1969;12(10):576-583, https://web.archive.org/web/20160304013345/http://www.spatial.maine.edu/~worboys/processes/hoare%20axiomatic.pdf
- RATS: https://github.com/andrew-d/rough-auditing-tool-for-security
- Coverity Static Application Security Testing (SAST): https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html
- Coverity Scan: https://scan.coverity.com
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)