Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development and security assessment poses various technical and managerial challenges. In this work, we reported a longitudinal case study of adopting SAST as a part of a human-driven security assessment for an open-source e-government project. We described how SASTs are selected, evaluated, and combined into a novel approach for software security assessment. The approach was preliminarily evaluated using semi-structured interviews. Our result shows that (1) while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tools and (2) SAST tools should be used towards a practical performance and in the combination with triangulated approaches for human-driven vulnerability assessment in real-world projects.
翻译:静态应用安全测试(SAST)是软件工程中流行的质量保证技术,然而,将SAST工具纳入工业一级产品开发和安全评估带来了各种技术和管理挑战。在这项工作中,我们报告了采用SAST作为开放源码电子政务项目人驱动安全评估的一部分的纵向案例研究。我们介绍了SAST是如何选择、评估并结合为软件安全评估的新办法的。这种方法通过半结构性访谈进行了初步评估。我们的结果表明:(1)虽然一些SAST工具优于其他工具,但通过将不止一种SAST工具与(2)SAST工具结合起来,可以取得更好的业绩。(2) SAST工具应当用于实际业绩,并与现实世界项目中由人驱动的脆弱性评估的三管齐下办法相结合。
相关内容
微信扫码咨询专知VIP会员