Representing Complexity: Learning about Static Analysis
By Rachel Ware
CompuGirls Cyber Warriors has expanded my understanding of cybersecurity, and I often think of the camp curriculum and the insight the students bring when I read about topics that involve tools to make security or software development better and acknowledge the people behind technology. Recently I read a couple articles from ACM Queue (the Association for Computing Machinery’s magazine) that reminded me of the processes that create complex software systems and the importance of cybersecurity being part of that process.
The first article is on static analysis, and in addition to a history of this practice it explains its advantages for high complexity projects, as many software projects are. Static analysis is a process where a software program reads another program’s source code and records certain information related to metrics to highlight potential issues. In a complex project there likely are multiple files interacting and many people involved, so discovering issues is an important activity. This also applies to cybersecurity, where the name of a variable or failing to check input could be a vulnerability that a hacker could exploit. A good static analysis tool to check other programs for quality and security is highly valuable.
To this end, the second article, which focuses on a human-centered or Human Computer Interaction (HCI) approach to static analysis tools, addresses what a good static analysis tool needs. In addition to alerting the developer of potential issues, the tool can support areas of development that humans have a harder time with. Complex information presented in a format that extends the possibilities and minimizes the challenges for developers is the goal. For cybersecurity, it would be useful to alert developers of antipatterns that make their software more vulnerable and suggest solutions. This article was a great read to learn about the research into static analysis and abstraction of complex topics generally. This article focuses on computer science, but I think the problems explored in representing complex ideas exist across disciplines.
References:
Thompson, P. (2021). Static Analysis: An Introduction. ACM Queue, 19(4). https://queue.acm.org/detail.cfm?id=3487021.
Nadeem, A. (2021). Human-Centered Approach to Static-Analysis-Driven Developer Tools. ACM Queue, 19(4).
