Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development and security assessment poses various technical and managerial challenges. In this work, we reported a longitudinal case study of adopting SAST as a part of a human-driven security assessment for an open-source e-government project. We described how SASTs are selected, evaluated, and combined into a novel approach for software security assessment. The approach was preliminarily evaluated using semi-structured interviews. Our result shows that while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tool. A combined approach has the potential to aid the security assessment process for open-source software.
翻译:静态应用安全测试(SAST)是软件工程中流行的质量保证技术,然而,将SAST工具纳入工业一级产品开发和安全评估带来了各种技术和管理挑战。在这项工作中,我们报告了采用SAST作为开放源码电子政务项目人驱动安全评估的一部分的纵向案例研究。我们介绍了SAST是如何选择、评估并结合为软件安全评估的新颖方法的。这种方法是使用半结构式访谈进行初步评估的。我们的结果显示,虽然一些SAST工具优于其他工具,但通过合并一个以上SAST工具,有可能取得更好的业绩。综合方法有可能帮助开放源码软件的安全评估进程。
相关内容
微信扫码咨询专知VIP会员