Spelling suggestions: "subject:"static core analyzer""
1 |
Instant Feedback Loops – for short feedback loops and early quality assuranceMehraban, Mehrdad January 2016 (has links)
Context. In recent years, Software Quality Assurance (SQA) has become a crucial part of software development processes. Therefore, modern software development processes led to an increase in demand for manual and automated code quality assurance. Manual code quality reviews can be a time-consuming and expensive process with varying results. Thus, automated code reviews turn out to be a preferred alternative for mitigating this process. However, commercial and open-source static code analyzer tools often offer deep analysis with long lead time. Objectives. In this thesis work, the main aim is to introduce an early code quality assurance tool, which features a combination of software metrics. The tool should be able to examine code quality and complexity of a telecommunication grade software product such as source code of specific Ericsson product by Ericsson. This tool should encapsulate complexity and quality of a software product with regards to its efficiency, scope, flexibility, and execution time. Methods. For this purpose, the background section of the thesis is dedicated to in-depth research on software metrics included in well-known static code analyzers. Then, development environment, under investigation source code of Ericsson product, and collected software metric for evaluation were presented. Next, according to each software metric’s characteristics, point of interest, and requirement, a set of steps based on a Susman’s action research cycle were defined. Moreover, SWAT, a suitable software analytics toolkit, employed to extract conducted experiment data of each software metric from a static analyzer code named Lizard in order to detect most efficient software metrics. Outcome of conducted experiment demonstrates relationship of selected software metrics with one another. Results. The chosen software metrics were evaluated based on a variety of vital factors especially actual data from number of defects of specific Ericsson product. Highly effective software metrics from investigations in this thesis work were implemented as a new model named hybrid model to be utilized as an early quality assurance. Conclusions. The proposed model, which consist of well-performing software metrics, demonstrate an impressive performance as an early code quality indicator. Consequently, the utilized model in this master thesis could be studied in a future research to further investigate the effectiveness and robustness of this tool an early quality assurance.
|
2 |
Enhancing CryptoGuard's Deployability for Continuous Software Security ScanningFrantz, Miles Eugene 21 May 2020 (has links)
The increasing development speed via Agile may introduce overlooked security steps in the process, with an example being the Iowa Caucus application. Verifying the protection of confidential information such as social security numbers requires security at all levels, providing protection through any connected applications. CryptoGuard is a static code analyzer for Java. This program verifies that developers do not leave vulnerabilities in their application. The program aids the developer by identifying cryptographic misuses such as hard-coded keys, weak program hashes, and using insecure protocols. In my Master thesis work, I made several important contributions to improving the deployability, accessibility, and usability of CryptoGuard. I extended CryptoGuard to scan source and compiled code, created live documentation, and supported a dual cloud and local tool-suite. I also created build tool plugins and a program aid for CryptoGuard. In addition, I also analyzed several Java-related surveys encompassing more than 50,000 developers and reported interesting current practices of real-world software developers. / Master of Science / Throughout the rise of software development, there has been an increase in development speed with developers embracing methodologies that use higher rates of changes, such as Agile. Since Agile naturally addresses "problems of rapid change", this also increases the likelihood of insecure and vulnerable coding practices. Though consumers depend on various public applications, there can still be failures throughout the development process in applications such as the Iowa caucus application. It was determined the Iowa cacus application development teams' repository credentials (API key) was left within the application itself. API keys provide the credential to be able to directly interact with server systems, and if left unguarded can be easily exploited. Since the Iowa cacus application was released publicly, malicious actors (other people looking to exploit the application) may have already discovered this credential. Within our team we have created CryptoGuard, a program to analyze applications to detect cryptographic issues such as an API key. Creating it with scalability in mind, it was created to be able to scan enterprise code at a reasonable speed. To ensure its use within companies, we have been working on extending and enhancing the work to the current needs of Java developers. Verifying the current Java landscape, we investigated three different companies and their developer ecosystem surveys that are publicly available. Amongst these companies are; JetBrains, known for their Integrated Development Environments (IDE, or application to help write applications) and their own programming language, Snyk, known for their public security platform and anti-virus capability, and Jakarta EE, which is the new platform for the enterprise version of Java. Throughout these surveys, we accumulate more than 50,000 developers' responses, spanning various countries, company experience, and ages. With their responses amalgamated, we enhance CryptoGuard to be available to as many developers and their requests as possible.First, CryptoGuard is enhanced to scan a projects source code. After that, ensuring our project is hosted by a cloud service, we actively are extending our project to the Security Assurance Marketplace (SWAMP). Funded by the DHS, SWAMP not only supplies a public cloud for developers to use, but a local download option to scan a program within the user's own computer. Next, we create a plugin for two most used build tools, Gradle and Maven. Then to ensure CryptoGuard can be have reactive aide, CryptoSoule is created to aide minimal interface aide. Finally utilizing a live documentation service, an open source documentation website was created to provide working examples to the community.
|
Page generated in 0.1249 seconds