Abstract

A secure coding standard for Java does not exist. Even if a standard did exist, it is not known how well static analysis tools could enforce it. In this work, we show how well eight static analysis tools can identify violations of a comprehensive collection of coding heuristics for increasing the quality and security of Java SE code. A new taxonomy for correlating coding heuristics with the design principles they help to achieve is also described. The taxonomy aims to make understanding, applying, and remembering both principles and heuristics easier. A significant number of secure coding violations, some of which make attacks possible, were not identified by any tool. Even if all eight tools were combined into a single tool, more than half of the violations included in the study would not be identified.