Write a Blog >>
ESEM 2021
Mon 11 - Fri 15 October 2021
Tue 12 Oct 2021 14:35 - 14:50 at ESEM ROOM - Testing & Security 1 Chair(s): Davide Fucci

Background: Static Application Security Testing (SAST) tools purport to assist developers in detecting security issues in source code. These tools typically use rule-based approaches to scan source code for security vulnerabilities. However, due to the significant shortcomings of these tools (i.e., high false positive rates), learning-based approaches for Software Vulnerability Prediction (SVP) are becoming a popular approach.

Aims: Despite the similar objectives of these two approaches, their comparative value is unexplored. We provide an empirical analysis of SAST tools and SVP models, to identify their relative capabilities for source code security analysis.

Method: We evaluate the detection and assessment performance of several common SAST tools and SVP models on a variety of vulnerability datasets. We further assess the viability and potential benefits of combining the two approaches.

Results: SAST tools and SVP models provide similar detection capabilities, but SVP models exhibit better overall performance for both detection and assessment. Unification of the two approaches is difficult due to lacking synergies.

Conclusions: Our study generates 12 main findings which provide insights into the capabilities and synergy of these two approaches. Through these observations we provide recommendations for use and improvement.

Tue 12 Oct

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

14:20 - 15:15
Testing & Security 1Technical Papers / Emerging Results and Vision papers at ESEM ROOM
Chair(s): Davide Fucci Blekinge Institute of Technology
A comparative study of vulnerability reporting by software composition analysis tools
Technical Papers
Nasif Imtiaz North Carolina State University, Seaver Thorn North Carolina State University, Laurie Williams North Carolina State University
Pre-print Media Attached
An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing
Technical Papers
Roland Croft , Dominic Newlands University of Adelaide, Ziyu Chen Monash University, Muhammad Ali Babar University of Adelaide
Pre-print Media Attached
An Empirical Analysis of Practitioners' Perspectives on Security Tool Integration into DevOps
Technical Papers
Roshan Namal Rajapakse The University of Adelaide, Mansooreh Zahedi The Univeristy of Melbourne, Muhammad Ali Babar University of Adelaide
Why Some Bug-bounty Vulnerability Reports are Invalid?
Emerging Results and Vision papers
Saman Shafigh University of New South Wales, Boualem Benatallah University of New South Wales, Carlos Rodriguez University of New South Wales, Mortada Al-Banna University of New South Wales

Information for Participants
Tue 12 Oct 2021 14:20 - 15:15 at ESEM ROOM - Testing & Security 1 Chair(s): Davide Fucci
Info for room ESEM ROOM: