D3.2 presents the mechanisms that allow the monitoring and optimization of the security level of software applications during the coding and testing phases of the software development lifecycle. In particular, two individual mechanisms, the Security Evaluation Framework (SEF) and the Security Alerts Assessor (SAA) are described. SEF is a mechanism that allows the conduction of security-specific static analysis and the calculation of high-level security measures that reflect specific security aspects, which are more intuitive and easily understandable even by stakeholders with little or no technical knowledge. The SAA mechanism is a self-adaptive machine learning-based mechanism that evaluates the criticality of static analysis alerts from a security viewpoint, taking into account information retrieved from (i) the alerts themselves, (ii) vulnerability prediction, (iii) and user feedback. SAA helps developers narrow their focus down to a subset of static analysis alerts that are more likely to correspond to vulnerabilities, reducing in that way the overwhelming number of alerts reported to the user, which is a known issue of static analysis that hinders its practicality.
Please note that the European Commission has not approved yet this deliverable.
The contents of the deliverable reflect only the project Consortium’s view and the Commission is not responsible for any use that may be made of the information it contains.