Testing for Software Security: A Case Study on Static Code Analysis of a File Reader Java Program
The high-level contribution of this paper is to illustrate the use of automated tools to conduct static code analysis of a software program and mitigate the vulnerabilities associated with the program. We present a case study of static code analysis conducted on a File Reader program (developed in Java) using the Source Code Analyzer and Audit Workbench automated tools, developed by Fortify, Inc. Specifically, the following software vulnerabilities are discovered, analyzed and mitigated: (i) Denial of Service, (ii) System Information Leak, (iii) Unreleased Resource (in the context of Streams) and (iv) Path Manipulation. We describe the potential risks in having each of these vulnerabilities in a software program and provide the solutions (including the code snippets in Java) to mitigate these vulnerabilities. The proposed solutions for each of these vulnerabilities are more generic and could be used to correct such vulnerabilities in software developed in any other programming language.
KeywordsDenial of Service Path Manipulation Sanitization Static Code Analysis Testing for Software Security Vulnerability
Unable to display preview. Download preview PDF.
- 1.Chess, B., West, J.: Secure Programming with Static Analysis, 1st edn. Addison Wesley (2008)Google Scholar
- 2.https://www.fortify.com/products/hpfssc/source-code-analyzer.html (last accessed: December 20, 2011)
- 3.Whittaker, J. A.: How to Break Software, 1st edn. Addison-Wesley (2002)Google Scholar
- 4.Howard, M., Leblanc, D., Viega, J.: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them, 1st edn. McGraw-Hill (2009)Google Scholar
- 5.McGraw, G.: Software Security: Building Security, 1st edn. Addison-Wesley (2006)Google Scholar
- 6.Graff, M.G., Van Wyk, K.R.: Secure Coding: Principles and Practices, 1st edn. O’Reilly Media (2003)Google Scholar
- 7.http://www.jsums.edu/cms/tues/docs/Case-Study-Static-Code-Analysis.pdf (last accessed: December 20, 2011)
- 8.http://www.jsums.edu/cms/tues (last accessed: December 20, 2011)