Houser, W.
(2014),
Static Analysis is not enough: The Role of Architecture and Design in Software Assurance, Crosstalk (Hill AFB): the Journal of Defense Software Engineering, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=916027
(Accessed January 15, 2025)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Static Analysis is not enough: The Role of Architecture and Design in Software Assurance
Published
Author(s)
Abstract
Static analysis testing of software source code is necessary but not sufficient. Over 40 percent of the Common Weakness Enumeration (CWE) are likely to be introduced in the architecture and design phase of the development life cycle. By their very nature, architecture and design flaws are rarely found during static analysis. Fixes to these errors can be complex and can further compound the problem by injecting additional defects, as well as alert adversaries to the existence of these flaws. Moreover design flaws can obscure the coding bugs that static analysis might otherwise detect, as demonstrated by the Heartbleed vulnerability. This paper describes the techniques architects and designers can employ to prevent flaws in applications before the programmers are tasked with building insecurity in.Citation
Crosstalk (Hill AFB): the Journal of Defense Software Engineering
Volume
27
Pub Type
Journals
Download Paper
Keywords
Static Analysis, Software Architecture, Software Design, Software Assurance, flaws, bugs, software vulnerabilities, software weaknesses, Common Weakness Enumeration (CWE)
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.
Created December 1, 2014, Updated February 19, 2017