Secure infrastructure for exchanging rules in static code analysis tools

Abstract

In software engineering, static code analysis can be used to inspect code and detect security vulnerabilities even in early stages of the development. This is done by analyzing a piece of code against a set of rules. The aim of this work was to create a secure data exchange infrastructure for static code analysis tools and providers of the rules being used. This enables these tools to update their set of rules by downloading the latest rules from rule providers. First of all, a research on alternatives for possible rule exchange infrastructures was done. During this, many existing data exchange and update protocols were examined. Then the requirements engineering and the search for technologies and protocols was conducted. Based on these results, the rule exchange infrastructure was designed. During the whole process, security was of utmost importance, but also requirements like maintainability and expandability were taken into account.