Integrating Static Analysis into a Secure Software Development Process

Abstract

Software content has grown rapidly in all manner of electronic systems. Meanwhile, society has become increasingly dependent upon the safe and secure operation of these electronic systems. We depend on software for our telecommunications, critical infrastructure, avionics, financial systems, medical information systems, automobiles, and more. Unfortunately, our ability to develop secure software has not improved at the same rate, resulting in increasing reliability and security vulnerabilities. The increase in software vulnerability poses a serious threat to national and homeland security. Vulnerabilities have caused or contributed to blackouts, air traffic control failures, traffic light system breaches, and other well publicized security breaches in critical infrastructure. This threat demands new approaches to secure software development. Static analysis has emerged as a promising technology for improving the security of software and systems. Static analysis tools analyze software to find defects that may go undetected using traditional techniques, such as compilers, human code reviews, and testing. A number of limitations, however, have prevented widespread adoption in software development. Static analysis tools often take prohibitively long to execute and are not well integrated into the software development environment. This paper will introduce a new approach - the integrated static analyzer (ISA) - that solves many of these problems. Specific metrics will be provided to demonstrate how the new approach makes the use of static analysis tools practical and effective for everyday embedded software development. In addition to traditional analysis, the ISA approach enables detection of a new class of security flaws not otherwise practicable.