Towards Better Utilizing Static Application Security Testing
Title | Towards Better Utilizing Static Application Security Testing |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Yang, Jinqiu, Tan, Lin, Peyton, John, A Duer, Kristofer |
Conference Name | 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP) |
Date Published | may |
Keywords | actionable vulnerability warnings, composability, data visualisation, Human Behavior, Priv, program diagnostics, program testing, pubcrawl, quality-assurance effort, Resiliency, SAST product, SAST techniques, Scalability, security experts, security of data, software assurance, software quality, software reliability, static analysis, static application security testing, static bug detection, static program analysis, utilization of software engineering tools, vulnerability warnings |
Abstract | Static application security testing (SAST) detects vulnerability warnings through static program analysis. Fixing the vulnerability warnings tremendously improves software quality. However, SAST has not been fully utilized by developers due to various reasons: difficulties in handling a large number of reported warnings, a high rate of false warnings, and lack of guidance in fixing the reported warnings. In this paper, we collaborated with security experts from a commercial SAST product and propose a set of approaches (Priv) to help developers better utilize SAST techniques. First, Priv identifies preferred fix locations for the detected vulnerability warnings, and group them based on the common fix locations. Priv also leverages visualization techniques so that developers can quickly investigate the warnings in groups and prioritize their quality-assurance effort. Second, Priv identifies actionable vulnerability warnings by removing SAST-specific false positives. Finally, Priv provides customized fix suggestions for vulnerability warnings. Our evaluation of Priv on six web applications highlights the accuracy and effectiveness of Priv. For 75.3% of the vulnerability warnings, the preferred fix locations found by Priv are identical to the ones annotated by security experts. The visualization based on shared preferred fix locations is useful for prioritizing quality-assurance efforts. Priv reduces the rate of SAST-specific false positives significantly. Finally, Priv is able to provide fully complete and correct fix suggestions for 75.6% of the evaluated warnings. Priv is well received by security experts and some features are already integrated into industrial practice. |
DOI | 10.1109/ICSE-SEIP.2019.00014 |
Citation Key | yang_towards_2019 |
- SAST techniques
- vulnerability warnings
- utilization of software engineering tools
- static program analysis
- static bug detection
- static application security testing
- software reliability
- software quality
- software assurance
- security of data
- security experts
- Scalability
- static analysis
- SAST product
- quality-assurance effort
- program testing
- program diagnostics
- Priv
- data visualisation
- actionable vulnerability warnings
- Resiliency
- composability
- Human behavior
- pubcrawl