• DocumentCode
    708965
  • Title

    Tool support for secure programming by security testing

  • Author

    Keqin Li ; Hebert, Cedric ; Lindemann, Jan ; Sauter, Michael ; Mack, Holger ; Schroer, Tom ; Tiple, Abhay

  • Author_Institution
    SAP Product Security Res., France
  • fYear
    2015
  • fDate
    13-17 April 2015
  • Firstpage
    1
  • Lastpage
    4
  • Abstract
    Secure Programming Guidelines help to prevent developers from introducing vulnerabilities. But being just static text to be consulted now and then, the Guidelines are difficult to integrate in the implementation phase of software development, especially when developers are under pressure of delivering software for a deadline. In this paper, we present an IDE integration of security testing and static code analysis to detect vulnerabilities and known insecure coding patterns according to Secure Programming Guidelines. While security testing tools and static analyzers exist for security professionals, similar tools to be used by software engineers who are normally non security experts are missing. This automated tool support is non-intrusive during implementation by being fully integrated in the IDE developers use, efficient to not slow down the overall implementation effort, and extensible to consider different vulnerabilities. We implement this IDE integration as an extension to SAP HANA Web-based Development Workbench. While not proposing new security testing nor static code analysis techniques, we integrate multiple security analysis to make them usable for developers during implementation, as they are relevant threats to SAP HANA applications and thus concerned in the Secure Programming Guidelines.
  • Keywords
    Internet; program diagnostics; program testing; security of data; software tools; IDE developers; IDE integration; SAP HANA Web-based development workbench; insecure coding patterns; nonsecurity experts; secure programming guidelines; security professionals; security testing; static analyzers; static code analysis; static text; tool support; Databases; Guidelines; Programming; Security; Servers; Software; Testing;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on
  • Conference_Location
    Graz
  • Type

    conf

  • DOI
    10.1109/ICSTW.2015.7107462
  • Filename
    7107462