An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing

Croft, Roland; Newlands, Dominic; Chen, Ziyu; Babar, Muhammad Ali

doi:10.1145/3475716.3475781

Cited by 32 publications

(7 citation statements)

References 61 publications

(77 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Language consideration could also be potentially strengthened in several research areas. For instance, vulnerability prediction models often do not consider the characteristics or features of the languages that they target (Yang et al 2017;Croft et al 2021).…”

Section: Discussionmentioning

confidence: 99%

An Empirical Study of Developers' Discussions about Security Challenges of Different Programming Languages

Croft¹,

Xie²,

Zahedi³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Given programming languages can provide different types and levels of security support, it is critically important to consider security aspects while selecting programming languages for developing software systems. Inadequate consideration of security in the choice of a programming language may lead to potential ramifications for secure development. Whilst theoretical analysis of the supposed security properties of different programming languages has been conducted, there has been relatively little effort to empirically explore the actual security challenges experienced by developers. We have performed a large-scale study of the security challenges of 15 programming languages by quantitatively and qualitatively analysing the developers' discussions from Stack Overflow and GitHub. By leveraging topic modelling, we have derived a taxonomy of 18 major security challenges for 6 topic categories. We have also conducted comparative analysis to understand how the identified challenges vary regarding the different programming languages and data sources. Our findings suggest that the challenges and their characteristics differ substantially for different programming languages and data sources, i.e., Stack Overflow and GitHub. The findings provide evidence-based insights and understanding of security challenges related to different programming languages to software professionals (i.e., practitioners or researchers). The reported taxonomy of security challenges can assist both practitioners and researchers in better understanding and traversing the secure development landscape. This study highlights the importance of the choice of technology, e.g., programming language, in secure software engineering. Hence, the findings are expected to motivate practitioners to consider the potential impact of the choice of programming languages on software security.

show abstract

Section: Discussionmentioning

confidence: 99%

An Empirical Study of Developers' Discussions about Security Challenges of Different Programming Languages

Croft¹,

Xie²,

Zahedi³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Finally, we computed the Matthews Correlation Coefficient (MCC) [70], which is a single-value classification metric that is more interpretable and robust to changes in the prediction goal [71] because it summarizes the results of all four quadrants of a confusion matrix, i.e., true positive, false negative, true negative, and false positive [72]. The MCC metric is calculated as MCC =…”

Section: Performance Metricsmentioning

confidence: 99%

Incivility Detection in Open Source Code Review and Issue Discussions

Ferreira¹,

Rafiq

Cheng³

2022

SSRN Journal

View full text Add to dashboard Cite

“…Other studies, such as [20], focus on SAST tools for detecting vulnerabilities and find that the true positive and false positive rates vary widely across tools and across different types of vulnerabilities. Croft et al [21] compares open-source, rule-based SAST tools with learning-based software vulnerability prediction models for C/C++ software systems. Croft et al [21] concluded that although learning-based approaches had better precision, both learning-based and SAST tools approaches should be used independently.…”

Section: Comparing Static Application Security Testing (Sast) and Dyn...mentioning

confidence: 99%

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

Seth¹,

Bhattacharya²,

Elder³

et al. 2022

SSRN Journal

View full text Add to dashboard Cite

An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing

Cited by 32 publications

References 61 publications

An Empirical Study of Developers' Discussions about Security Challenges of Different Programming Languages

An Empirical Study of Developers' Discussions about Security Challenges of Different Programming Languages

Incivility Detection in Open Source Code Review and Issue Discussions

Comparing Effectiveness and Efficiency of Interactive Application Security Testing (Iast) and Runtime Application Self-Protection (Rasp) Tools in A Large Java-Based System

Contact Info

Product

Resources

About