电信科学 ›› 2020, Vol. 36 ›› Issue (12): 155-162.doi: 10.11959/j.issn.1000-0801.2020324

• 专栏:应用及终端安全 • 上一篇    

代码审计系统的误报率成因和优化

肖芫莹,游耀东,向黎希   

  1. 中国电信股份有限公司研究院,上海 200122
  • 修回日期:2020-12-10 出版日期:2020-12-20 发布日期:2020-12-23
  • 作者简介:肖芫莹(1997- ),女,现就职于中国电信股份有限公司研究院应用安全研究所,主要研究方向为代码审计|游耀东(1979- ),男,现就职于中国电信股份有限公司研究院应用安全研究所,主要研究方向为安全开发SDL、应用安全以及代码审计|向黎希(1984- ),女,现就职于中国电信股份有限公司研究院应用安全研究所,主要研究方向为代码审计

Causes and optimization of the false alarm rate of code review system

Yuanying XIAO,Yaodong YOU,Lixi XIANG   

  1. Research Institute of China Telecom Co.,Ltd.,Shanghai 200122,China
  • Revised:2020-12-10 Online:2020-12-20 Published:2020-12-23

摘要:

目前,代码审计已经成为网络安全建设中举足轻重的环节,基于自动化源代码检测的代码审计系统已经得到了广泛的应用,但仍存在诸多缺点。总结了当前代码审计系统的不足之处,简述了不同静态源代码检测算法的原理,并分析检测报告中出现误报的原因,提出了相应的优化思路,描述了优化方案的技术原理及其应用场景。

关键词: 代码审计, 静态检测技术, 网络安全

Abstract:

Code review technology has become a pivotal part in the construction of network security.Analysis of the test reports obtained by the current code auditing system shows that there are many false positives in the report.The shortcomings in the development of the code audit system were summarized,the principles of different detection algorithms were briefly described,the causes of false alarm rates were analyzed,corresponding optimization ideas were proposed,the technical principles of optimization were explained,and the application scenarios of optimization schemes were described.

Key words: code review, static analysis technology, network security

中图分类号: 

No Suggested Reading articles found!