An Extensive Comparison of Static Application Security Testing Tools (EASE 2024 - Research Papers)

Who

Matteo Esposito, Valentina Falaschi, Davide Falessi

Track

EASE 2024 Research Papers

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 20 Jun 2024 14:12 - 14:25 at Room Vietri - Security (1) Chair(s): Giuseppe Scanniello

Abstract

Context: Static Application Security Testing Tools (SASTTs) identify software vulnerabilities to support the security and reliability of software applications. Interestingly, several studies have suggested that alternative solutions may be more effective than SASTTs due to their tendency to generate false alarms, commonly referred to as low Precision.

Aim: We aim to comprehensively evaluate SASTTs, setting a reliable benchmark for assessing and finding gaps in vulnerability identification mechanisms based on SASTTs or alternatives.

Method: Our SASTTs evaluation is based on a controlled, though synthetic, Java codebase, it involves an assessment of 1.5 million test executions, and it features innovative methodological features such as effort-aware accuracy metrics and method-level analysis.

Results: Our findings reveal that SASTTs detect a tiny range of vulnerabilities. In contrast to prevailing wisdom, SASTTs exhibit high Precision while falling short in Recall. Conclusions: The paper suggests that enhancing Recall, alongside expanding the spectrum of detected vulnerability types, should be the primary focus for improving SASTTs or alternative approaches, such as machine learning-based vulnerability identification solutions.

Link to Preprint

http://dx.doi.org/10.13140/RG.2.2.12326.54085

Matteo Esposito

University of Rome Tor Vergata

Italy

Valentina Falaschi

University of Rome Tor Vergata

Italy

Davide Falessi

University of Rome Tor Vergata, Italy

Italy

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 20 Jun
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

14:00 - 15:30	Security (1)Industry / Research Papers / Short Papers, Vision and Emerging Results at Room Vietri Chair(s): Giuseppe Scanniello University of Salerno

14:00 12m Talk		Analyzing Prerequisites of known Deserialization Vulnerabilities on Java Applications Research Papers Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University
14:12 12m Talk		An Extensive Comparison of Static Application Security Testing Tools Research Papers Matteo Esposito University of Rome Tor Vergata, Valentina Falaschi University of Rome Tor Vergata, Davide Falessi University of Rome Tor Vergata, Italy Pre-print
14:25 12m Talk		Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers Industry Therese Fehrer JADS, Tilburg University صs-Hertogenbosch, Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Dario Di Nucci University of Salerno, Damian Andrew Tamburri TU/e
14:38 12m Talk		Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries Short Papers, Vision and Emerging Results Alexandros Tsakpinis fortiss GmbH, Alexander Pretschner TU Munich DOI Pre-print
14:51 12m Talk		Unveiling iOS Scamwares through Crowdturfing Reviews Short Papers, Vision and Emerging Results Zhipeng Xu Shanghai Jiao Tong University
15:04 12m Talk		Mining REST APIs for Potential Mass Assignment Vulnerabilities Short Papers, Vision and Emerging Results Arash Mazidi , Davide Corradini University of Verona, Mohammad Ghafari TU Clausthal
15:17 12m Talk		Negative Complement of a Set of Vulnerability-Fixing Commits: Method and Dataset Industry Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Tommaso Aiello SAP Security Research