On the adoption of static analysis for software security assessment–A case study of an open-source e-government project
Peer reviewed, Journal article
Published version
Permanent lenke
https://hdl.handle.net/11250/2987879Utgivelsesdato
2021Metadata
Vis full innførselSamlinger
- Institutt for økonomi og it [161]
- Publikasjoner fra CRIStin [3623]
Originalversjon
Nguyen-Duc, A., Do, M. V., Luong Hong, Q., Nguyen Khac, K. & Nguyen Quang, A. (2021). On the adoption of static analysis for software security assessment–A case study of an open-source e-government project. Computers & Security, 111, Artikkel 102470. https://doi.org/10.1016/j.cose.2021.102470Sammendrag
Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development for security assessment poses various technical and managerial challenges. In this work, we reported results from a case study of adopting SAST as a part of a human-driven security assessment process in an open-source e-government project. We described how SASTs are selected, evaluated, and combined into a novel approach and adopted by security experts for software security assessment. The approach was preliminarily evaluated using semi-structured interviews. Our results show that while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tools. The combined approach has the potential to aid the security assessment process for open-source software.