I am a research associate at Fraunhofer IEM in Paderborn, Germany.
Static code analysis can detect many known vulnerabilities when correctly configured for each application being analyzed. However, the acceptance of static analysis tools from developers is still very low. One of the main issues is that the devlopers are not familiar with the domain and do not know how to set the parameters to get the expected results. Default configurations often result in high number of false positives. If we want to reach SecDevOps process, we need to make sure that the developers are aware of the security issues already in the design phase. In my research, I develop methods and tools that will close the gap between the development and static code analysis. One of the main problem is how to detect security-relevant entities in the code which are needed for the configuration of static analyses. The goal is to provide the developer an IDE-integrated generator of configurations for static analyses that can be used at design time.
Fraunhofer IEM Institute for Mechatronic Systems Design
Department Software Engineering and IT-Security