Tool support for secure programming by security testing

Secure Programming Guidelines help to prevent developers from introducing vulnerabilities. But being just static text to be consulted now and then, the Guidelines are difficult to integrate in the implementation phase of software development, especially when developers are under pressure of delivering software for a deadline. In this paper, we present an IDE integration of security testing and static code analysis to detect vulnerabilities and known insecure coding patterns according to Secure Programming Guidelines. While security testing tools and static analyzers exist for security professionals, similar tools to be used by software engineers who are normally non security experts are missing. This automated tool support is non-intrusive during implementation by being fully integrated in the IDE developers use, efficient to not slow down the overall implementation effort, and extensible to consider different vulnerabilities. We implement this IDE integration as an extension to SAP HANA Web-based Development Workbench. While not proposing new security testing nor static code analysis techniques, we integrate multiple security analysis to make them usable for developers during implementation, as they are relevant threats to SAP HANA applications and thus concerned in the Secure Programming Guidelines.