Standardizing Source Code Security Audits

A source code security audit is a powerful methodology for locating and removing security vulnerabilities. An audit can be used to (1) pass potentially prioritized list of vulnerabilities to developers (2) exploit vulnerabilities or (3) provide proof-of-concepts for potential vulnerabilities. The security audit research currently remains disjoint with minor discussion of methodologies utilized in the field. This paper assembles a broad array of literature to promote standardizing source code security audits techniques. It, then, explores a case study using the aforementioned techniques. The case study analyzes the security for a stable version of the Apache Traffic Server (ATS). The study takes a white to gray hat point of view as it reports vulnerabilities located by two popular proprietary tools, examines and connects potential vulnerabilities with a standard community-driven taxonomy, and describes consequences for exploiting the vulnerabilities. A review of other security-driven case studies concludes this research.