What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool

Security vulnerabilities are often accidentally introduced as developers implement code. While there are a variety of existing tools to help detect security vulnerabilities, they are seldom used by developers due to the time or security expertise required. We are investigating techniques integrated within the IDE to help developers detect and mitigate security vulnerabilities. In previous work, we examined the questions developers ask when investigating security vulnerabilities with static analysis tools. With those questions as a lens, we now investigate our proposed approach of interactive static analysis. We evaluated the interactions and perceptions of professional developers as they interacted with warnings produced by our tool. Our results provide evidence that our approach effectively communicates security vulnerability information to software developers and provides design guidance for such tools.

[1]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[2]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[3]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[4]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  Ciera Jaspan,et al.  Tricorder: Building a Program Analysis Ecosystem , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[6]  Bill Chu,et al.  Supporting secure programming in web applications through interactive static analysis , 2013, Journal of advanced research.

[7]  Jing Xie,et al.  Evaluating interactive support for secure programming , 2012, CHI.

[8]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[9]  Emerson R. Murphy-Hill,et al.  Questions developers ask while diagnosing potential security vulnerabilities with static analysis , 2015, ESEC/SIGSOFT FSE.

[10]  Emerson R. Murphy-Hill,et al.  A study of interactive code annotation for access control vulnerabilities , 2015, 2015 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[11]  Jun Zhu,et al.  Mitigating Access Control Vulnerabilities through Interactive Static Analysis , 2015, SACMAT.