On the combination of static analysis for software security assessment -- a case study of an open-source e-government project

TL;DR

This paper presents a case study on integrating multiple static analysis tools into a comprehensive security assessment process for an open-source e-government project, highlighting practical benefits and challenges.

Contribution

It introduces a novel approach for combining SAST tools in security assessment and evaluates its effectiveness through a longitudinal case study.

Findings

Combining multiple SAST tools improves vulnerability detection performance.

SAST tools should be used alongside human-driven assessment for better security.

Practical integration of SAST tools requires careful selection and evaluation.

Abstract

Static Application Security Testing (SAST) is a popular quality assurance technique in software engineering. However, integrating SAST tools into industry-level product development and security assessment poses various technical and managerial challenges. In this work, we reported a longitudinal case study of adopting SAST as a part of a human-driven security assessment for an open-source e-government project. We described how SASTs are selected, evaluated, and combined into a novel approach for software security assessment. The approach was preliminarily evaluated using semi-structured interviews. Our result shows that (1) while some SAST tools out-perform others, it is possible to achieve better performance by combining more than one SAST tools and (2) SAST tools should be used towards a practical performance and in the combination with triangulated approaches for human-driven vulnerability assessment in real-world projects.