{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,8]],"date-time":"2026-02-08T22:22:18Z","timestamp":1770589338421,"version":"3.49.0"},"reference-count":100,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"4","license":[{"start":{"date-parts":[[2019,12,1]],"date-time":"2019-12-01T00:00:00Z","timestamp":1575158400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2019,12,1]],"date-time":"2019-12-01T00:00:00Z","timestamp":1575158400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2019,12,1]],"date-time":"2019-12-01T00:00:00Z","timestamp":1575158400000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"DEVASSES"},{"name":"European Union's FP7","award":["PIRSES-GA-2013-612569"],"award-info":[{"award-number":["PIRSES-GA-2013-612569"]}]},{"name":"European Commission under Horizon 2020","award":["690116"],"award-info":[{"award-number":["690116"]}]},{"name":"European Commission under Horizon 2020","award":["777154"],"award-info":[{"award-number":["777154"]}]},{"name":"Brazilian MCTIC and RNP","award":["51119"],"award-info":[{"award-number":["51119"]}]},{"name":"CNPq, Intel, and FAPESP's thematic","award":["2013\/25.977-7"],"award-info":[{"award-number":["2013\/25.977-7"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Rel."],"published-print":{"date-parts":[[2019,12]]},"DOI":"10.1109\/tr.2019.2937214","type":"journal-article","created":{"date-parts":[[2019,10,9]],"date-time":"2019-10-09T19:42:00Z","timestamp":1570650120000},"page":"1384-1403","source":"Crossref","is-referenced-by-count":20,"title":["Understanding How to Use Static Analysis Tools for Detecting Cryptography Misuse in Software"],"prefix":"10.1109","volume":"68","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8969-4683","authenticated-orcid":false,"given":"Alexandre","family":"Braga","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7002-875X","authenticated-orcid":false,"given":"Ricardo","family":"Dahab","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6044-4012","authenticated-orcid":false,"given":"Nuno","family":"Antunes","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0011-9901","authenticated-orcid":false,"given":"Nuno","family":"Laranjeiro","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5103-8541","authenticated-orcid":false,"given":"Marco","family":"Vieira","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"crossref","DOI":"10.1201\/b17668","author":"katz","year":"2014","journal-title":"Introduction to Modern Cryptography"},{"key":"ref38","author":"hankerson","year":"2004","journal-title":"Guide to Elliptic Curve Cryptography"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/1082983.1083209"},{"key":"ref32","article-title":"Use of A Taxonomy of Security Faults","author":"aslam","year":"1996"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/185403.185412"},{"key":"ref30","first-page":"134","article-title":"Implementing ECC with Java Standard Edition 7","volume":"3","author":"mart","year":"2013","journal-title":"Int J Comput Artif Intell"},{"key":"ref37","author":"ko\u00e7","year":"0","journal-title":"Cryptographic Engineering"},{"key":"ref36","article-title":"Cryptography Coding Standard","year":"2018"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.59"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-013-9258-8"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813707"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/ICCITechnology.2013.6579513"},{"key":"ref29","first-page":"157","article-title":"Elliptic curve cryptography in practice","author":"bos","year":"2014","journal-title":"Financial Cryptography and Data Security"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884790"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/DASC.2014.22"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/3PGCIC.2014.102"},{"key":"ref24","article-title":"IV = 0 Security Cryptographic Misuse of Libraries","author":"das","year":"2014"},{"key":"ref23","first-page":"315","article-title":"Lessons learned in implementing and deploying crypto software","author":"gutmann","year":"0","journal-title":"Proc 11th USENIX Secur Symp"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382205"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.52"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382204"},{"key":"ref50","author":"howard","year":"2006","journal-title":"The Security Development Lifecycle"},{"key":"ref51","author":"anderson","year":"2008","journal-title":"Security Engineering"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/2814228.2814229"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516655"},{"key":"ref57","article-title":"TOP 25 most dangerous software errors.","year":"2011"},{"key":"ref56","article-title":"Fundamental practices for secure software development","year":"2011"},{"key":"ref55","article-title":"Avoiding The top 10 software security design flaws","year":"2014"},{"key":"ref54","article-title":"OWASP testing project","year":"2015"},{"key":"ref53","article-title":"OWASP top ten project","year":"2013"},{"key":"ref52","author":"shostack","year":"2014","journal-title":"Threat Modeling Designing for Security"},{"key":"ref40","author":"paar","year":"2009","journal-title":"Understanding Cryptography A Textbook for Students and Practitioners"},{"key":"ref4","first-page":"30","article-title":"A survey on tools and techniques for the programming and verification of secure cryptographic software","author":"braga","year":"0","journal-title":"XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais"},{"key":"ref3","article-title":"(ISC)2 Global Information Security Workforce Study","author":"suby","year":"2015"},{"key":"ref6","first-page":"1","article-title":"Introdução à criptografia para programadores: Evitando maus usos da criptografia em sistemas de software","author":"braga","year":"0","journal-title":"Proc Caderno de Minicursos do XV Simpósio Brasileiro em Segurança da Informação e de Sist Computacionais"},{"key":"ref5","first-page":"170","article-title":"Practical evaluation of static code analysis tools for cryptography: Benchmarking method and case study","author":"braga","year":"0","journal-title":"Proc IEEE Int Symp Softw Rel Eng"},{"key":"ref8","first-page":"7","article-title":"Design issues in the construction of a cryptographically secure instant message service for android smartphones","author":"braga","year":"0","journal-title":"Proc Int Conf Emerg Secur Inf Syst Technol"},{"key":"ref49","author":"daswani","year":"2007","journal-title":"Foundations of Security -What Every Programmer Needs to Know"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/ICSSA.2016.12"},{"key":"ref9","first-page":"67","article-title":"Implementation issues in the construction of an application framework for secure SMS messages on android smartphones","author":"braga","year":"0","journal-title":"Proc Int Conf Emerg Secur Inf Syst Technol"},{"key":"ref46","author":"viega","year":"2001","journal-title":"Building Secure Software How to Avoid Security Problems the Right Way"},{"key":"ref45","author":"denis","year":"2006","journal-title":"Cryptography for Developers"},{"key":"ref48","author":"howard","year":"2009","journal-title":"24 Deadly Sins of Software Security Programming Flaws and How to Fix Them"},{"key":"ref47","author":"howard","year":"2003","journal-title":"Writing Secure Code"},{"key":"ref42","author":"knudsen","year":"1998","journal-title":"Java Cryptography"},{"key":"ref41","author":"ferguson","year":"2011","journal-title":"Cryptography Engineering Design Principles and Practical Applications"},{"key":"ref44","author":"hook","year":"2005","journal-title":"Beginning Cryptography with Java"},{"key":"ref43","author":"chandra","year":"2002","journal-title":"Network Security with OpenSSL"},{"key":"ref73","article-title":"Software Assurance Metrics And Tool Evaluation.","year":"2018"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2015.30"},{"key":"ref71","author":"sommerville","year":"2011","journal-title":"Software Engineering"},{"key":"ref70","article-title":"Project Wycheproof - Scaling crypto testing","author":"bleichenbacher","year":"0","journal-title":"Proc Real World Crypto Symp"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/SCAM.2011.24"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.2"},{"key":"ref74","article-title":"Software Assurance Reference Dataset (SARD).","year":"2017"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2012.345"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.02.005"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2015.08.002"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.38"},{"key":"ref62","article-title":"FindSecBugs.","author":"arteau","year":"2018"},{"key":"ref61","first-page":"1","article-title":"Practical padding oracle attacks","author":"rizzo","year":"0","journal-title":"Proc 4th Usenix Conf Offensive Technologies"},{"key":"ref63","article-title":"SonarQube.","year":"2018"},{"key":"ref64","article-title":"Xanitizer.","year":"2018"},{"key":"ref65","article-title":"VisualCodeGrepper.","year":"2017"},{"key":"ref66","article-title":"Yasca.","author":"scovetta","year":"2019"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2015.12.021"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11698-3_27"},{"key":"ref69","article-title":"Cryptographic Module Validation Program (CMVP)","year":"2019"},{"key":"ref2","first-page":"28","article-title":"A longitudinal and retrospective study on how developers misuse cryptography in online communities","author":"braga","year":"2017","journal-title":"XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/QRS-C.2016.23"},{"key":"ref95","article-title":"Oracle Java Cryptography.","year":"2016"},{"key":"ref94","article-title":"FindBugs.","year":"2015"},{"key":"ref93","article-title":"List of Source Code Analysis Tools.","year":"2017"},{"key":"ref92","article-title":"Towards Developer-Proof Cryptography","author":"junod","year":"0"},{"key":"ref91","article-title":"Java Cryptography Architecture (JCA) Reference Guide.","year":"2017"},{"key":"ref90","article-title":"Study on cryptographic protocols","author":"smart","year":"2014","journal-title":"European Union Agency for Netw Inf Security"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1145\/2986012.2986024"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.14722\/eurousec.2017.23016"},{"key":"ref96","article-title":"Google Android Developers.","year":"2016"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2014.2310221"},{"key":"ref10","first-page":"106","article-title":"Adding Secure Deletion to an Encrypted File System on Android Smartphones","author":"braga","year":"0","journal-title":"Proc Int Conf Emerg Secur Inf Syst Technol"},{"key":"ref11","first-page":"28","article-title":"Integrated technologies for communication security and secure deletion on android smartphones","volume":"8","author":"braga","year":"2015","journal-title":"International Journal on Advances in Security"},{"key":"ref12","article-title":"Towards the safe development of cryptographic software","author":"braga","year":"2017"},{"key":"ref13","author":"chess","year":"2007","journal-title":"Secure Programming with Static Analysis"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2006.43"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/161494.161501"},{"key":"ref82","first-page":"83","article-title":"Manual vs. automated vulnerability assessment: A case study","author":"kupsch","year":"0","journal-title":"Proc 1st Int Workshop Manag Insider Secur Threats"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/2637166.2637237"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/2915970.2915994"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516693"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/ISSREW.2015.7392027"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.4108\/eai.3-12-2015.2262471"},{"key":"ref83","first-page":"17","article-title":"Towards modeling the behavior of static code analysis tools","author":"manohar","year":"0","journal-title":"Proc 9th Cyber Inf Secur Res Conf"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/CCNC.2017.7983245"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/COUFLESS.2015.10"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.2824\/36822"},{"key":"ref85","article-title":"OWASP Benchmark Project.","year":"2017"},{"key":"ref86","author":"howard","year":"2004","journal-title":"Writing Secure Code"},{"key":"ref87","author":"howard","year":"2006","journal-title":"The Security Development Lifecycle"},{"key":"ref88","article-title":"Cryptographic Storage Cheat Sheet.","year":"2017"}],"container-title":["IEEE Transactions on Reliability"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/24\/8917777\/08863426.pdf?arnumber=8863426","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,13]],"date-time":"2022-07-13T21:14:03Z","timestamp":1657746843000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8863426\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,12]]},"references-count":100,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.1109\/tr.2019.2937214","relation":{},"ISSN":["0018-9529","1558-1721"],"issn-type":[{"value":"0018-9529","type":"print"},{"value":"1558-1721","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,12]]}}}