Visible to the public Towards Better Utilizing Static Application Security Testing

TitleTowards Better Utilizing Static Application Security Testing
Publication TypeConference Paper
Year of Publication2019
AuthorsYang, Jinqiu, Tan, Lin, Peyton, John, A Duer, Kristofer
Conference Name2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)
Date Publishedmay
Keywordsactionable vulnerability warnings, composability, data visualisation, Priv, program diagnostics, program testing, pubcrawl, quality-assurance effort, SAST product, SAST techniques, Scalability, security experts, security of data, software assurance, software quality, software reliability, static application security testing, static bug detection, static program analysis, utilization of software engineering tools, vulnerability warnings
AbstractStatic application security testing (SAST) detects vulnerability warnings through static program analysis. Fixing the vulnerability warnings tremendously improves software quality. However, SAST has not been fully utilized by developers due to various reasons: difficulties in handling a large number of reported warnings, a high rate of false warnings, and lack of guidance in fixing the reported warnings. In this paper, we collaborated with security experts from a commercial SAST product and propose a set of approaches (Priv) to help developers better utilize SAST techniques. First, Priv identifies preferred fix locations for the detected vulnerability warnings, and group them based on the common fix locations. Priv also leverages visualization techniques so that developers can quickly investigate the warnings in groups and prioritize their quality-assurance effort. Second, Priv identifies actionable vulnerability warnings by removing SAST-specific false positives. Finally, Priv provides customized fix suggestions for vulnerability warnings. Our evaluation of Priv on six web applications highlights the accuracy and effectiveness of Priv. For 75.3% of the vulnerability warnings, the preferred fix locations found by Priv are identical to the ones annotated by security experts. The visualization based on shared preferred fix locations is useful for prioritizing quality-assurance efforts. Priv reduces the rate of SAST-specific false positives significantly. Finally, Priv is able to provide fully complete and correct fix suggestions for 75.6% of the evaluated warnings. Priv is well received by security experts and some features are already integrated into industrial practice.
Citation Keyyang_towards_2019