Blogs (1) >>
ICSE 2019
Sat 25 - Fri 31 May 2019 Montreal, QC, Canada
Wed 29 May 2019 11:20 - 11:40 at Van-Horne - Security 1 Chair(s): Corina S Pasareanu

Static application security testing (SAST) detects vulnerability warnings through static program analysis. Fixing the vulnerability warnings tremendously improves software quality. However, SAST has not been fully utilized by developers due to various reasons: difficulties in handling a large number of reported warnings, a high rate of false warnings, and lack of guidance in fixing the reported warnings. In this paper, we collaborated with security experts from a commercial SAST product and propose a set of approaches (Priv) to help developers better utilize SAST techniques. First, Priv identifies preferred fix locations for the detected vulnerability warnings, and group them based on the common fix locations. Priv also leverages visualization techniques so that developers can quickly investigate the warnings in groups and prioritize their quality-assurance effort. Second, Priv identifies actionable vulnerability warnings by removing SAST-specific false positives. Finally, Priv provides customized fix suggestions for vulnerability warnings. Our evaluation of Priv on six web applications (AltoroJ, WebGoat, Bodgeit, Vulnerable Lab, JavaVulnerable Lab, and Heisenberg) highlights the accuracy and effectiveness of Priv. For 75.3% of the vulnerability warnings, the preferred fix locations found by Priv are identical to the ones annotated by security experts. The visualization based on shared preferred fix locations is useful for prioritizing quality-assurance efforts. Priv reduces the rate of SAST-specific false positives from 13.8%–88.6% to 0. Finally, Priv is able to provide fully complete and correct fix suggestions for 75.6% of the evaluated warnings. Priv is well received by security experts and some features are already integrated into industrial practice.

Wed 29 May
Times are displayed in time zone: (GMT-04:00) Eastern Time (US & Canada) change

11:00 - 12:30: Papers - Security 1 at Van-Horne
Chair(s): Corina S PasareanuCarnegie Mellon University Silicon Valley, NASA Ames Research Center
icse-2019-Software-Engineering-in-Practice11:00 - 11:20
Charles WeirLancaster University, Lynne BlairLancaster University, Ingolf BeckerUniversity College London, M. Angela SasseUniversity College London, James NobleVictoria University of Wellington, Awais RashidUniversity of Bristol, UK
icse-2019-Software-Engineering-in-Practice11:20 - 11:40
Jinqiu YangConcordia University, Montreal, Canada, Lin TanPurdue University, John PeytonHCL America, Kristofer A DuerAppScan Source
icse-2019-Technical-Papers11:40 - 12:00
Xiaoning DuNanyang Technological University, Bihuan ChenFudan University, Yuekang LiNanyang Technological University, Jianmin GuoTsinghua University, Yaqin ZhouNanyang Technological University, Yang LiuNanyang Technological University, Singapore, Yu Jiang
icse-2019-Journal-First-Paper12:00 - 12:10
Stanislav DashevskyiUniversity of Luxembourg, Achim D. BruckerThe University of Sheffield, Fabio MassacciUniversity of Trento
Link to publication DOI Pre-print
icse-2019-New-Ideas-and-Emerging-Reults12:10 - 12:20
Haijun WangNanyang Technological University, Yi LiNanyang Technological University, Shang-Wei LinNanyang Technological University, Lei MaKyushu University, Yang LiuNanyang Technological University, Singapore
icse-2019-Paper-Presentations12:20 - 12:30