A. Wagner, J. Sametinger, Using the Juliet Test Suite to compare Static Security Scanners, 11th International Conference on Security and Cryptography (SECRYPT 2014) Vienna, Austria - August 28-30, 2014.
Security issues arise permanently in different software products. Making software secure is a challenging endeavor. Static analysis of the source code can help eliminate various security bugs. The better a scanner is, the more bugs can be found and eliminated. The quality of security scanners can be determined by letting them scan code with known vulnerabilities. Thus, it is easy to see how much they have (not) found. We have used the Juliet Test Suite to test various scanners. This test suite contains test cases with a set of security bugs that should be found by security scanners. We have automated the process of scanning the test suite and of comparing the generated results. With one exception, we have only used freely available source code scanners. These scanners were not primarily targeted at security, yielding disappointing results at first sight. We will report on the findings, on the barriers for automatic scanning and comparing, as well as on the detailed results.