{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:25:49Z","timestamp":1750307149722,"version":"3.41.0"},"reference-count":35,"publisher":"Association for Computing Machinery (ACM)","issue":"6","license":[{"start":{"date-parts":[[2011,11,14]],"date-time":"2011-11-14T00:00:00Z","timestamp":1321228800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGSOFT Softw. Eng. Notes"],"published-print":{"date-parts":[[2011,11,14]]},"abstract":"<jats:p>Security is an increasing concern for application developers, whether they are targeting internal customers, organizations or the general public. Particularly for the US public sector with requirements like FIPS 140, developers need to identify and remove superseded cryptography in both legacy applications and new development. This paper outlines a mechanism using static analysis tools to find outdated or improper cryptography and suggest corrections or correct code. This prevents the need for manual inspection and correction by developers familiar with cryptography and is more accurate than text searches.<\/jats:p>","DOI":"10.1145\/2047414.2047427","type":"journal-article","created":{"date-parts":[[2011,11,21]],"date-time":"2011-11-21T19:54:36Z","timestamp":1321905276000},"page":"1-7","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Using static analysis tools to detect and correct non-compliant cryptography"],"prefix":"10.1145","volume":"36","author":[{"given":"Anthony","family":"Langsworth","sequence":"first","affiliation":[{"name":"Symantec, North Sydney, NSW, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2011,11,14]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Fortify 360 Source Code Analyzer (SCA) 2011. https:\/\/www.fortify.com\/products\/fortify360\/ source-code-analyzer.html  Fortify 360 Source Code Analyzer (SCA) 2011. https:\/\/www.fortify.com\/products\/fortify360\/ source-code-analyzer.html"},{"key":"e_1_2_1_4_1","doi-asserted-by":"crossref","unstructured":"Alex Biryukov Dmitry Khovratovich and Ivica Nikoli\u0107. Distinguisher and Related-Key Attack on the Full AES-256 (Extended Version) 2009. Cryptology ePrint Archive Report 2009\/241.  Alex Biryukov Dmitry Khovratovich and Ivica Nikoli\u0107. Distinguisher and Related-Key Attack on the Full AES-256 (Extended Version) 2009. Cryptology ePrint Archive Report 2009\/241.","DOI":"10.1007\/978-3-642-03356-8_14"},{"key":"e_1_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Andrey Bogdanov Dmitry Khovratovich and Christian Rechberger. Biclique Cryptanalysis of the Full AES 2011. Cryptology ePrint Archive Report 2011\/449.  Andrey Bogdanov Dmitry Khovratovich and Christian Rechberger. Biclique Cryptanalysis of the Full AES 2011. Cryptology ePrint Archive Report 2011\/449.","DOI":"10.1007\/978-3-642-25385-0_19"},{"key":"e_1_2_1_6_1","unstructured":"Steve Christey. CWE top 25 most dangerous software errors 2011. http:\/\/cwe.mitre.org\/top25\/.  Steve Christey. CWE top 25 most dangerous software errors 2011. http:\/\/cwe.mitre.org\/top25\/."},{"key":"e_1_2_1_7_1","unstructured":"Coverity Inc. Coverity Static Analysis 2011. http:\/\/ www.coverity.com\/products\/static-analysis.html  Coverity Inc. Coverity Static Analysis 2011. http:\/\/ www.coverity.com\/products\/static-analysis.html"},{"key":"e_1_2_1_8_1","unstructured":"CWE-320: Key Management Errors. http:\/\/cwe.mitre.org\/data\/definitions\/320.html  CWE-320: Key Management Errors. http:\/\/cwe.mitre.org\/data\/definitions\/320.html"},{"key":"e_1_2_1_9_1","unstructured":"CWE-326: Inadequate Encryption Strength. http:\/\/cwe.mitre.org\/data\/definitions\/326.html  CWE-326: Inadequate Encryption Strength. http:\/\/cwe.mitre.org\/data\/definitions\/326.html"},{"key":"e_1_2_1_10_1","unstructured":"CWE-327: Use of a Broken or Risky Cryptographic Algorithm. http:\/\/cwe.mitre.org\/data\/definitions\/327.html  CWE-327: Use of a Broken or Risky Cryptographic Algorithm. http:\/\/cwe.mitre.org\/data\/definitions\/327.html"},{"key":"e_1_2_1_11_1","doi-asserted-by":"crossref","unstructured":"T. Dierks and C. Allen. The TLS Protocol Version 1.0 January 1999. http:\/\/www.ietf.org\/rfc\/rfc2246.txt   T. Dierks and C. Allen. The TLS Protocol Version 1.0 January 1999. http:\/\/www.ietf.org\/rfc\/rfc2246.txt","DOI":"10.17487\/rfc2246"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/52.976940"},{"key":"e_1_2_1_13_1","unstructured":"J. Franks P. Hallam-Baker J. Hostetler S. Lawrence P. Leach A. Luotonen and L. Stewart. Http authentication: Basic and digest access authentication. http:\/\/www.ietf.org\/rfc\/rfc2617.txt   J. Franks P. Hallam-Baker J. Hostetler S. Lawrence P. Leach A. Luotonen and L. Stewart. Http authentication: Basic and digest access authentication. http:\/\/www.ietf.org\/rfc\/rfc2617.txt"},{"key":"e_1_2_1_14_1","unstructured":"The Open Group. 'grep' Reference 2008. http:\/\/pubs.opengroup.org\/onlinepubs\/ 9699919799\/utilities\/grep.html  The Open Group. 'grep' Reference 2008. http:\/\/pubs.opengroup.org\/onlinepubs\/ 9699919799\/utilities\/grep.html"},{"key":"e_1_2_1_15_1","unstructured":"Aberdeen Group. Security and the software development lifecycle: Secure at the source December 2010. http:\/\/www.aberdeen.com\/Aberdeen-Library\/6825\/RB-software-development-lifecycle.aspx  Aberdeen Group. Security and the software development lifecycle: Secure at the source December 2010. http:\/\/www.aberdeen.com\/Aberdeen-Library\/6825\/RB-software-development-lifecycle.aspx"},{"key":"e_1_2_1_16_1","unstructured":"Michael Howard and David LeBlanc. Writing Secure Code. Microsoft Press Redmond Wash. 2nd edition 2003.   Michael Howard and David LeBlanc. Writing Secure Code. Microsoft Press Redmond Wash. 2nd edition 2003."},{"key":"e_1_2_1_17_1","unstructured":"Michael Howard. SDL Crypto Code Review Macro June 2007. http: \/\/blogs.msdn.com\/b\/michael_howard\/archive\/ 2007\/06\/14\/sdl-crypto-code-review-macro.aspx  Michael Howard. SDL Crypto Code Review Macro June 2007. http: \/\/blogs.msdn.com\/b\/michael_howard\/archive\/ 2007\/06\/14\/sdl-crypto-code-review-macro.aspx"},{"key":"e_1_2_1_18_1","unstructured":"Michael Howard. Banned Crypto and the SDL Jul 2009. http:\/\/blogs.msdn.com\/b\/sdl\/archive\/2009\/07\/16\/banned-crypto-and-the-sdl.aspx  Michael Howard. Banned Crypto and the SDL Jul 2009. http:\/\/blogs.msdn.com\/b\/sdl\/archive\/2009\/07\/16\/banned-crypto-and-the-sdl.aspx"},{"key":"e_1_2_1_19_1","unstructured":"ISACA. COBIT 5 Initiative|Status Update June 2011. http:\/\/www.isaca.org\/Knowledge-Center\/cobit\/Pages\/COBIT-5-Initiative-Status-Update.aspx  ISACA. COBIT 5 Initiative|Status Update June 2011. http:\/\/www.isaca.org\/Knowledge-Center\/cobit\/Pages\/COBIT-5-Initiative-Status-Update.aspx"},{"key":"e_1_2_1_20_1","first-page":"20054","volume-title":"Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04)","volume":"2","author":"Lee Earl E."},{"key":"e_1_2_1_21_1","unstructured":"Microsoft. FxCop 2011. http:\/\/msdn.microsoft.com\/en-us\/library\/bb429476(v=vs.80).aspx  Microsoft. FxCop 2011. http:\/\/msdn.microsoft.com\/en-us\/library\/bb429476(v=vs.80).aspx"},{"key":"e_1_2_1_22_1","unstructured":"National Institute of Standards and Technology (NIST). FIPS 140-2 Security Requirements for Cryptographic Modules May 2001. Publication: http:\/\/csrc.nist.gov\/publications\/fips\/fips140-2\/Fips140-2.zip Module validation: http: \/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html Algorithm validation: http: \/\/csrc.nist.gov\/groups\/STM\/cavp\/index.html Annex C containing RNG requirements: http:\/\/csrc.nist.gov\/publications\/fips\/fips140-2\/fips1402annexc.pdf  National Institute of Standards and Technology (NIST). FIPS 140-2 Security Requirements for Cryptographic Modules May 2001. Publication: http:\/\/csrc.nist.gov\/publications\/fips\/fips140-2\/Fips140-2.zip Module validation: http: \/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html Algorithm validation: http: \/\/csrc.nist.gov\/groups\/STM\/cavp\/index.html Annex C containing RNG requirements: http:\/\/csrc.nist.gov\/publications\/fips\/fips140-2\/fips1402annexc.pdf"},{"key":"e_1_2_1_23_1","unstructured":"National Institute of Standards and Technology (NIST). FIPS 140-3 Draft December 2009. http:\/\/csrc.nist.gov\/publications\/drafts\/ fips140-3\/revised-draft-fips140-3_PDF-zip_document-annexA-to-annexG.zip  National Institute of Standards and Technology (NIST). FIPS 140-3 Draft December 2009. http:\/\/csrc.nist.gov\/publications\/drafts\/ fips140-3\/revised-draft-fips140-3_PDF-zip_document-annexA-to-annexG.zip"},{"key":"e_1_2_1_24_1","unstructured":"National Security Agency (NSA). NSA Suite B Cryptography Nov 2010. http:\/\/www.nsa.gov\/ia\/programs\/suiteb_cryptography\/  National Security Agency (NSA). NSA Suite B Cryptography Nov 2010. http:\/\/www.nsa.gov\/ia\/programs\/suiteb_cryptography\/"},{"key":"e_1_2_1_25_1","unstructured":"D. Nelson. Crypto-Agility Requirements for Remote Dial-In User Service (RADIUS) November 2008. http:\/\/tools.ietf.org\/html\/ draft-ietf-radext-crypto-agility-requirements-01  D. Nelson. Crypto-Agility Requirements for Remote Dial-In User Service (RADIUS) November 2008. http:\/\/tools.ietf.org\/html\/ draft-ietf-radext-crypto-agility-requirements-01"},{"key":"e_1_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Hilarie Orman and Paul Hoffman. Determining strengths for public keys used for exchanging symmetric keys January 2004. http:\/\/tools.ietf.org\/html\/draft-orman-public-key-lengths-08   Hilarie Orman and Paul Hoffman. Determining strengths for public keys used for exchanging symmetric keys January 2004. http:\/\/tools.ietf.org\/html\/draft-orman-public-key-lengths-08","DOI":"10.17487\/rfc3766"},{"key":"e_1_2_1_27_1","unstructured":"Yekaterina Tsipenyuk O'Neil. A few words about crypto March 2009. http:\/\/blog.fortify.com\/blog\/2009\/03\/12\/A-Few-Words-about-Crypto.  Yekaterina Tsipenyuk O'Neil. A few words about crypto March 2009. http:\/\/blog.fortify.com\/blog\/2009\/03\/12\/A-Few-Words-about-Crypto."},{"key":"e_1_2_1_28_1","unstructured":"OWASP. OWASP guide to cryptography May 2009. https:\/\/www.owasp.org\/index.php\/Guide_to_ Cryptography.  OWASP. OWASP guide to cryptography May 2009. https:\/\/www.owasp.org\/index.php\/Guide_to_ Cryptography."},{"volume-title":"The WHIRLPOOL Hashing Function","year":"2003","author":"Paulo","key":"e_1_2_1_29_1"},{"key":"e_1_2_1_30_1","unstructured":"C. Rigney S. Willens A. Rubens and W. Simpson. Remote Authentication Dial In User Service (RADIUS). http:\/\/www.ietf.org\/rfc\/rfc2865.txt   C. Rigney S. Willens A. Rubens and W. Simpson. Remote Authentication Dial In User Service (RADIUS). http:\/\/www.ietf.org\/rfc\/rfc2865.txt"},{"key":"e_1_2_1_31_1","unstructured":"Stacy Simpson. Fundamental practices for secure software development February 2011. Pages 32--36 of http:\/\/www.safecode.org\/publications\/SAFECode_Dev_Practices0211.pdf  Stacy Simpson. Fundamental practices for secure software development February 2011. Pages 32--36 of http:\/\/www.safecode.org\/publications\/SAFECode_Dev_Practices0211.pdf"},{"key":"e_1_2_1_32_1","first-page":"88","volume-title":"Proceedings of the 8th Australian workshop on Safety critical systems and software -","volume":"33","author":"Smith J.","year":"2003"},{"key":"e_1_2_1_33_1","unstructured":"Alexander Sotirov Marc Stevens Jacob Appelbaum Arjen Lenstra David Molnar Dag Arne Osvik and Benne de Weger. MD5 considered harmful today December 2008. http:\/\/www.win.tue.nl\/hashclash\/rogue-ca\/  Alexander Sotirov Marc Stevens Jacob Appelbaum Arjen Lenstra David Molnar Dag Arne Osvik and Benne de Weger. MD5 considered harmful today December 2008. http:\/\/www.win.tue.nl\/hashclash\/rogue-ca\/"},{"key":"e_1_2_1_34_1","unstructured":"Bryan Sullivan. Cryptographic agility: Defending against the sneakers scenario. https:\/\/media. blackhat.com\/bh-us-10\/presentations\/Sullivan\/BlackHat-USA-2010-Sullivan-Cryptographic-Agility-slides.pdf  Bryan Sullivan. Cryptographic agility: Defending against the sneakers scenario. https:\/\/media. blackhat.com\/bh-us-10\/presentations\/Sullivan\/BlackHat-USA-2010-Sullivan-Cryptographic-Agility-slides.pdf"},{"volume-title":"Microsoft Developer Network (MSDN) Magazine","year":"2009","author":"Sullivan Bryan","key":"e_1_2_1_35_1"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1049\/sej.1995.0010"},{"key":"e_1_2_1_37_1","first-page":"2010","volume":"10","author":"Williams Jeff","year":"2010","journal-title":"OWASP Top"}],"container-title":["ACM SIGSOFT Software Engineering Notes"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2047414.2047427","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2047414.2047427","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T09:54:13Z","timestamp":1750240453000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2047414.2047427"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,11,14]]},"references-count":35,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2011,11,14]]}},"alternative-id":["10.1145\/2047414.2047427"],"URL":"https:\/\/doi.org\/10.1145\/2047414.2047427","relation":{},"ISSN":["0163-5948"],"issn-type":[{"type":"print","value":"0163-5948"}],"subject":[],"published":{"date-parts":[[2011,11,14]]},"assertion":[{"value":"2011-11-14","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}