An Empirical Study on Static Application Security Testing (SAST) Tools for PythonDistinguished Paper Award
Python is currently the most popular programming language and ensuring the security of Python applications has become a critical concern. Static Application Security Testing (SAST) tools have been introduced to address this need, claiming to support a wide range of Common Weakness Enumerations (CWEs). However, the ability of these tools to detect real-world vulnerabilities in Python programs has not been comprehensively evaluated.
In this paper, we selected eight SAST tools from 117 existing ones based on well-designed criteria. Based on the synthetic and real-world dataset, we evaluated and compared these SAST tools from different perspectives including effectiveness and efficiency. Our results reveal significant limitations in current SAST tools: although perform well on the synthetic dataset, a single tool detects no more than 40% of the vulnerabilities in our real-world dataset. Even when aggregating the outputs of all evaluated tools, only 66.7% of the real-world vulnerabilities are identified. To further understand these shortcomings, we performed a root cause analysis of the detection results and identified useful insights for both SAST tool developers and users, focusing on tool development, evaluation, and selection.
Wed 15 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
14:00 - 15:30 | Testing and Analysis 4Research Track / SE In Practice (SEIP) at Oceania IX Chair(s): Anil Koyuncu Bilkent University | ||
14:00 15mTalk | SymRadar: PoC-Centered Bounded Verification for Vulnerability Repair Research Track | ||
14:15 15mTalk | Fine-Grained Analyses for Evolution-Aware Runtime Verification Research Track Pengyue Jiang Cornell University, Kevin Guan Cornell University, M. Mahdi Khosravi Middle East Technical University, Moustafa Ismail Middle East Technical University, Marcelo d'Amorim North Carolina State University, Owolabi Legunsen Cornell University | ||
14:30 15mTalk | An Empirical Study on Static Application Security Testing (SAST) Tools for PythonDistinguished Paper Award Research Track Liu Zhuohang Nankai University, Zhi Wang Nankai University, Haotong Liu Nankai University, Wanpeng Li University of Liverpool | ||
14:45 15mTalk | NotDec: WebAssembly Decompilation With Inter-Procedural Type Recovery Research Track Jikai Wang Huazhong University of Science and Technology, Ningyu He Hong Kong Polytechnic University, Tianming Liu Huazhong University of Science and Technology, Junhai Wang Huazhong University of Science and Technology, Haoyu Wang Huazhong University of Science and Technology Media Attached File Attached | ||
15:00 15mTalk | PyXray: Practical Cross-Language Call Graph Construction through Object Layout Analysis Research Track Georgios Alexopoulos University of Athens, Thodoris Sotiropoulos ETH Zurich, Georgios Gousios Endor Labs, Zhendong Su ETH Zurich, Dimitris Mitropoulos University of Athens Pre-print | ||
15:15 15mTalk | HapCheck: DSL-Based Static Bug Detection Framework for OpenHarmony SE In Practice (SEIP) Xitong Zhong Beihang University, Chang Liu Beihang University, Runlin Liu Beihang University, Zifu Xu Beihang University, Zhengyao Liu Beihang University, Juqi Zhou Beihang University, Gang Fan Huawei Hong Kong Research Centre, Mingyi Zhou Beihang University, Xiang Gao Beihang University, Li Li Beihang University | ||