Collaborative Security Code-Review Towards Aiding Developers Ensure Software-Security

Humans make mistakes, and software programmers are no exception. Software vulnerabilities are discovered everyday; close to 8,000 vulnerabilities were reported in 2014, and almost 2,500 were reported in the first four months of 2015 [9]. Microsoft Security Response Centre defines software vulnerabilities as a security exposure that results from a product weakness that the product developer did not intend to introduce and should fix once it is discovered [8]. Integrating security in the Software Development Lifecycle (SDLC) leads to better quality software than when security was considered as an additional task [11]. Major software companies are taking the initiative to integrate security in the SDLC, starting from the early stages of the development. For example, Microsoft has been following a securityoriented software development process since 2004. The Microsoft Security Development Lifecycle (SDL) introduces security early in the development process and throughout the different stages of the traditional SDLC [7]. Google, on the other hand, has an independent Security Team responsible for aiding security reviews during the design and implementation phases, as well as providing ongoing consultation on project-relevant security risks and their possible remedies. Static analysis [12] is a method of software testing that can be performed throughout the different stages of the development to ensure software is free of vulnerabilities introduced to the code due to programming errors. Static analysis does not require the code to be executed, thus incomplete versions of the software can be tested. This allows testing software during early stages when errors are less expensive to fix [3, 1]. Static-code Analysis Tools (SATs) are tools that automatically analyze static-code to uncover vulnerabilities.