Evaluation of Static Analysis Tools for Finding Vulnerabilities in Java and C/C++ Source Code
This work addresses the problem of delayed security testing in software development, offering insights for developers and security professionals, but it is incremental as it focuses on tool comparison without introducing new methods.
The paper compares static analysis tools for Java and C/C++ source code to find vulnerabilities, highlighting their pros and cons to aid in early detection during development.
It is quite common for security testing to be delayed until after the software has been developed, but vulnerabilities may get noticed throughout the implementation phase and the earlier they are discovered, the easier and cheaper it will be to fix them. Software development processes such as the secure software development lifecycle incorporates security at every stage of the design and development process. Static code scanning tools find vulnerabilities in code by highlighting potential security flaws and offer examples on how to resolve them, and some may even modify the code to remove the susceptibility. This paper compares static analysis tools for Java and C/C++ source code, and explores their pros and cons.