Secure Coding
This article introduces the secure coding.
Secure Coding related Taxonomies
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
- A Taxonmy of Computer Program Security Flaws
- A Taxonmy of Security Faults in the Unix Operating System
Code Analysis Tools
There are many different types of tools and technologies that can be used for improving the software security properties. This is done by pinpointing possible weaknesses. The following grouping of tools is quite common:
- Static source analysis tools
- Dynamic analysis tools
- Tools for system hardening and fuzzy testing
These tools are mainly used in different phases of the software development life cycle. Static analysis is performed while software is designed, sometimes for code fragments that won’t even compile. Dynamic analysis tools are run mainly in the test environment where the system under test is a “prototype version of production”, i.e. a test environment. VA tools are used in the real environment, as they also verify issues with the system configuration. Note that there are test tools that cover partly multiple areas. For example the CodeChecker does static code analysis, but it also compiles the code and simulates it, thus performs checks that are dynamic by nature.
Static Code Analysis Tools
BitDefender, together with researchers from Alexandru Ioan Cuza University, have done a study about static code analysis tools, and how the tools can find vulnerabilities in the C/C++ code. The analysis consists of e.g. CLANG, CppCheck and CodeSonar, check the study report.
- Wikipedia list of static analysis tools
- OWASP page for static code analysis
Dynamic Analysis Tools
References
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
- A Taxonmy of Computer Program Security Flaws
- A Taxonmy of Security Faults in the Unix Operating System
- CodeSonar
- Static Analysis Tools
- Static Code Analysis