Towards the Verification and Validation of Software Security Properties Using Static Code Analysis

Developing and delivering secure software is a challenging task, that gets even harder when the developer tries to adhere to both application and organization-specific security requirements. Different approaches have been proposed to facilitate this task, such as code analysis that aims at detecting flaws in the developed software before it is released and deployed to customer. This paper discusses a number of static code analysis approaches and presents different code analysis tools adopting each a specific analysis technique. These tools are evaluated against a sample code illustrating different security challenges that can be addressed using an approach that helps detecting security properties. The latter can be transformed into abstract security policies that can be validated against explicit security requirements. This would help the developer throughout the software development lifecycle and to ensure the compliance with security specifications.