"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing

"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing

The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive,...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Ami, Amit Seal, Moran, Kevin, Poshyvanyk, Denys, Nadkarni, Adwait
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Benchmark testing
false negative
false positive
Industries
Privacy
Protocols
qualitative research
Reliability
SAST
Security
software engineering
software security
Static analysis
static analysis based security testing
thematic analysis
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 3997
container_issue
container_start_page 3979
container_title
container_volume
creator Ami, Amit Seal
Moran, Kevin
Poshyvanyk, Denys
Nadkarni, Adwait
description The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify 17 key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo - challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.
doi_str_mv 10.1109/SP54263.2024.00019
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_RIE</sourceid><recordid>TN_cdi_ieee_primary_10646636</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10646636</ieee_id><sourcerecordid>10646636</sourcerecordid><originalsourceid>FETCH-LOGICAL-i150t-c5b2435024843fac4f1ecc9f8a4ae3b1086c2fdd4e62d31ec8037a55a03f8c5d3</originalsourceid><addsrcrecordid>eNotj01Lw0AYhFdBsNb-AfHw0nvqu1_58FaK1ULBQttz2e6-qasxKdmtkFP_uil6GphhHmYYe-A44RyLp_VKK5HKiUChJojIiys2KrIilxql5BL5NRsImemEC8xu2V0In4gCZaEG7DyemyoQ1HQw0f8QJBA_TISmJvABDo2vDxAb-PJVBV1zGj_DtnbUhmhqd8kWtTuF2Haw6s0j2QskQFPCOvZAC9PaVF3oUXsTyMGa7Kn1sYMNhdj379lNeRkw-tch285fNrO3ZPn-uphNl4nnGmNi9V6o_o9QuZKlsarkZG1R5kYZknuOeWpF6ZyiVDjZZznKzGhtUJa51U4O2eMf1xPR7tj6b9N2O46pSlOZyl_EdmC1</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing</title><source>IEEE Electronic Library (IEL)</source><creator>Ami, Amit Seal ; Moran, Kevin ; Poshyvanyk, Denys ; Nadkarni, Adwait</creator><creatorcontrib>Ami, Amit Seal ; Moran, Kevin ; Poshyvanyk, Denys ; Nadkarni, Adwait</creatorcontrib><description>The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify 17 key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo - challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.</description><identifier>EISSN: 2375-1207</identifier><identifier>EISBN: 9798350331301</identifier><identifier>DOI: 10.1109/SP54263.2024.00019</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>Benchmark testing ; false negative ; false positive ; Industries ; Privacy ; Protocols ; qualitative research ; Reliability ; SAST ; Security ; software engineering ; software security ; Static analysis ; static analysis based security testing ; thematic analysis</subject><ispartof>2024 IEEE Symposium on Security and Privacy (SP), 2024, p.3979-3997</ispartof><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10646636$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,796,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10646636$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Ami, Amit Seal</creatorcontrib><creatorcontrib>Moran, Kevin</creatorcontrib><creatorcontrib>Poshyvanyk, Denys</creatorcontrib><creatorcontrib>Nadkarni, Adwait</creatorcontrib><title>"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing</title><title>2024 IEEE Symposium on Security and Privacy (SP)</title><addtitle>SP</addtitle><description>The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify 17 key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo - challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.</description><subject>Benchmark testing</subject><subject>false negative</subject><subject>false positive</subject><subject>Industries</subject><subject>Privacy</subject><subject>Protocols</subject><subject>qualitative research</subject><subject>Reliability</subject><subject>SAST</subject><subject>Security</subject><subject>software engineering</subject><subject>software security</subject><subject>Static analysis</subject><subject>static analysis based security testing</subject><subject>thematic analysis</subject><issn>2375-1207</issn><isbn>9798350331301</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2024</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotj01Lw0AYhFdBsNb-AfHw0nvqu1_58FaK1ULBQttz2e6-qasxKdmtkFP_uil6GphhHmYYe-A44RyLp_VKK5HKiUChJojIiys2KrIilxql5BL5NRsImemEC8xu2V0In4gCZaEG7DyemyoQ1HQw0f8QJBA_TISmJvABDo2vDxAb-PJVBV1zGj_DtnbUhmhqd8kWtTuF2Haw6s0j2QskQFPCOvZAC9PaVF3oUXsTyMGa7Kn1sYMNhdj379lNeRkw-tch285fNrO3ZPn-uphNl4nnGmNi9V6o_o9QuZKlsarkZG1R5kYZknuOeWpF6ZyiVDjZZznKzGhtUJa51U4O2eMf1xPR7tj6b9N2O46pSlOZyl_EdmC1</recordid><startdate>20240519</startdate><enddate>20240519</enddate><creator>Ami, Amit Seal</creator><creator>Moran, Kevin</creator><creator>Poshyvanyk, Denys</creator><creator>Nadkarni, Adwait</creator><general>IEEE</general><scope>6IE</scope><scope>6IH</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIO</scope></search><sort><creationdate>20240519</creationdate><title>"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing</title><author>Ami, Amit Seal ; Moran, Kevin ; Poshyvanyk, Denys ; Nadkarni, Adwait</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i150t-c5b2435024843fac4f1ecc9f8a4ae3b1086c2fdd4e62d31ec8037a55a03f8c5d3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Benchmark testing</topic><topic>false negative</topic><topic>false positive</topic><topic>Industries</topic><topic>Privacy</topic><topic>Protocols</topic><topic>qualitative research</topic><topic>Reliability</topic><topic>SAST</topic><topic>Security</topic><topic>software engineering</topic><topic>software security</topic><topic>Static analysis</topic><topic>static analysis based security testing</topic><topic>thematic analysis</topic><toplevel>online_resources</toplevel><creatorcontrib>Ami, Amit Seal</creatorcontrib><creatorcontrib>Moran, Kevin</creatorcontrib><creatorcontrib>Poshyvanyk, Denys</creatorcontrib><creatorcontrib>Nadkarni, Adwait</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan (POP) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP) 1998-present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Ami, Amit Seal</au><au>Moran, Kevin</au><au>Poshyvanyk, Denys</au><au>Nadkarni, Adwait</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing</atitle><btitle>2024 IEEE Symposium on Security and Privacy (SP)</btitle><stitle>SP</stitle><date>2024-05-19</date><risdate>2024</risdate><spage>3979</spage><epage>3997</epage><pages>3979-3997</pages><eissn>2375-1207</eissn><eisbn>9798350331301</eisbn><coden>IEEPAD</coden><abstract>The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify 17 key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo - challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.</abstract><pub>IEEE</pub><doi>10.1109/SP54263.2024.00019</doi><tpages>19</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2375-1207
ispartof 2024 IEEE Symposium on Security and Privacy (SP), 2024, p.3979-3997
issn 2375-1207
language eng
recordid cdi_ieee_primary_10646636
source IEEE Electronic Library (IEL)
subjects Benchmark testing
false negative
false positive
Industries
Privacy
Protocols
qualitative research
Reliability
SAST
Security
software engineering
software security
Static analysis
static analysis based security testing
thematic analysis
title "False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-29T11%3A01%3A04IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=%22False%20negative%20-%20that%20one%20is%20going%20to%20kill%20you%22:%20Understanding%20Industry%20Perspectives%20of%20Static%20Analysis%20based%20Security%20Testing&rft.btitle=2024%20IEEE%20Symposium%20on%20Security%20and%20Privacy%20(SP)&rft.au=Ami,%20Amit%20Seal&rft.date=2024-05-19&rft.spage=3979&rft.epage=3997&rft.pages=3979-3997&rft.eissn=2375-1207&rft.coden=IEEPAD&rft_id=info:doi/10.1109/SP54263.2024.00019&rft_dat=%3Cieee_RIE%3E10646636%3C/ieee_RIE%3E%3Curl%3E%3C/url%3E&rft.eisbn=9798350331301&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=10646636&rfr_iscdi=true