How Do Developers Act on Static Analysis Alerts? An Empirical Study of Coverity Usage

Imtiaz, Nasif; Murphy, Brendan; Williams, Laurie

doi:10.1109/issre.2019.00040

Cited by 23 publications

(8 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Research have shown that the structural modeling methodology, "classical" higher mathematics, the "soft" computing's theory for a classes of problems and models wide range solving are described in sufficient detail in the scientists works. So, for example, it is described in the works devoted to the DSS systems software creation [7,8], the calculations general mathematical methods development in the decision support interests [4], and mathematical modeling interests [17,18]. Despite the rather long history and these methods variety, their improvement and use will allow one to fulfill a particular scientific tasks number of increasing software security.…”

Section: Fig 7 the Reducing Uncertainties Methods Classificationmentioning

confidence: 99%

See 1 more Smart Citation

Analysis and Comparative Researches of Methods for Improving the Software

Mozhaiev¹,

Davydov

Zhang

2020

A.I.S.

View full text Add to dashboard Cite

Ab s t r a c t. The results analysis of main methods for identifying software vulnerabilities presents in the article. The results of authors' research, synthesizing and regulating knowledge about systems for detecting software vulnerabilities, are presented. The software analysis methods used during certification tests are considered. It is shown that the methods and techniques existing for software security analysis use do not ensure the result accuracy under fuzzy input data conditions. This drawback is aggravated by strict requirements for the test scenarios implementation speed. This is largely due to the fact that experts, in order to a decision make, have to conflicting information large amounts analyzed. Consequently, it is necessary to develop a system for identifying vulnerabilities, the main task of which will be to the conflicting information amount minimize used by an expert when making a decision. The most promising direction the existing identifying vulnerabilities systems efficiency increasing is seen in reducing the burden on an expert by methods for identifying vulnerabilities and implementing a decision support system improving. This will significantly reduce the time spent on a decision making on software security, and, as a result, will the software security testing procedure accessible to a developer's wide range make more. K e ywor d s : computer systems; Software; security risks; security threats.

show abstract

Section: Fig 7 the Reducing Uncertainties Methods Classificationmentioning

confidence: 99%

“…Open sources information research [1,8,16] made it possible to present the most common vulnerabilities types. The software security threats classification is presented in Fig.…”

Section: The Requirements and Security Risks Analysis Of Computer Sysmentioning

confidence: 99%

Analysis and Comparative Researches of Methods for Improving the Software

Mozhaiev¹,

Davydov

Zhang

2020

A.I.S.

View full text Add to dashboard Cite

show abstract

“…Looking at SAT notification information specifically, notification content can be confusing and require a search engine to understand the words used [53]. Empirically, developers also require an unexpectedly large amount of time to fix low-complexity SAT-identified issues [46] suggesting that comprehending and applying the notification content was not straight-forward. Google had its own developers use a SAT and found that 75% of the bugs they reported were related to misunderstandings of the notification content [83].…”

Section: Communicating With Developersmentioning

confidence: 99%

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy. CCS CONCEPTS• Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy; Software and application security.

show abstract

“…It is important to highlight that SDP is not the only method that can be used to find defects in software systems. For instance, model checking [50] and static code analysis (e.g., Coverity [51]) can be deployed to find defects in software systems. The duo of model checking and static analysis are conventional methods of finding defects in software systems and are based on fault localization.…”

Section: Related Workmentioning

confidence: 99%

An Adaptive Rank Aggregation-Based Ensemble Multi-Filter Feature Selection Method in Software Defect Prediction

Balogun

Basri

Capretz

et al. 2021

Entropy

View full text Add to dashboard Cite

Feature selection is known to be an applicable solution to address the problem of high dimensionality in software defect prediction (SDP). However, choosing an appropriate filter feature selection (FFS) method that will generate and guarantee optimal features in SDP is an open research issue, known as the filter rank selection problem. As a solution, the combination of multiple filter methods can alleviate the filter rank selection problem. In this study, a novel adaptive rank aggregation-based ensemble multi-filter feature selection (AREMFFS) method is proposed to resolve high dimensionality and filter rank selection problems in SDP. Specifically, the proposed AREMFFS method is based on assessing and combining the strengths of individual FFS methods by aggregating multiple rank lists in the generation and subsequent selection of top-ranked features to be used in the SDP process. The efficacy of the proposed AREMFFS method is evaluated with decision tree (DT) and naïve Bayes (NB) models on defect datasets from different repositories with diverse defect granularities. Findings from the experimental results indicated the superiority of AREMFFS over other baseline FFS methods that were evaluated, existing rank aggregation based multi-filter FS methods, and variants of AREMFFS as developed in this study. That is, the proposed AREMFFS method not only had a superior effect on prediction performances of SDP models but also outperformed baseline FS methods and existing rank aggregation based multi-filter FS methods. Therefore, this study recommends the combination of multiple FFS methods to utilize the strength of respective FFS methods and take advantage of filter–filter relationships in selecting optimal features for SDP processes.

show abstract

How Do Developers Act on Static Analysis Alerts? An Empirical Study of Coverity Usage

Cited by 23 publications

References 22 publications

Analysis and Comparative Researches of Methods for Improving the Software

Analysis and Comparative Researches of Methods for Improving the Software

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

An Adaptive Rank Aggregation-Based Ensemble Multi-Filter Feature Selection Method in Software Defect Prediction

Contact Info

Product

Resources

About