Static analysis became the mainstream technology that is widely used in secure development lifecycles. As such it is covered by a lot of research works highlighting many diverse aspects. We would like to make this paper a single place that focuses on two important questions. First, it is a very long road to travel for a tool to be deployed in production, and the technology and design that actually worked is of interest. Second, once the tool has been made, it needs to be pushed further both with the evolutional approach of gradually improving analysis algorithms and with exploring completely new ideas, yet this task is not easy as inviting directions are many. This paper presents our view for the above problems in the context of a static analysis that strives to be fully automatic, scalable to modern computing systems and generating good quality warnings. We derive the discussion from our experience put into the Svace static analyzers that have been made at ISP RAS and deployed to various production development environments.
展开▼
