Comparison and evaluation on Static Application Security Testing (SAST) tools for Java

Comparison and evaluation on Static Application Security Testing (SAST) tools for Java

Static application security testing (SAST) takes a significant role in the software development life cycle (SDLC). However, it is challenging to comprehensively evaluate the effectiveness of SAST tools to determine which is the better one for detecting vulnerabilities. In this paper, based on well-d...

Full description

Saved in:
Bibliographic Details
Main Authors: LI, Kaixuan, CHEN, Sen, FAN, Lingling, FENG, Ruitao, LIU, Han, LIU, Chengwei, LIU, Yang, CHEN, Yixiang
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2023
Subjects:
Benchmarks
Empirical study
Static application security testing
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/8976
https://ink.library.smu.edu.sg/context/sis_research/article/9979/viewcontent/fse2023_sast_pv.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
Description
Summary:Static application security testing (SAST) takes a significant role in the software development life cycle (SDLC). However, it is challenging to comprehensively evaluate the effectiveness of SAST tools to determine which is the better one for detecting vulnerabilities. In this paper, based on well-defined criteria, we first selected seven free or open-source SAST tools from 161 existing tools for further evaluation. Owing to the synthetic and newly-constructed real-world benchmarks, we evaluated and compared these SAST tools from different and comprehensive perspectives such as effectiveness, consistency, and performance. While SAST tools perform well on synthetic benchmarks, our results indicate that only 12.7% of real-world vulnerabilities can be detected by the selected tools. Even combining the detection capability of all tools, most vulnerabilities (70.9%) remain undetected, especially those beyond resource control and insufficiently neutralized input/output vulnerabilities. The fact is that although they have already built the corresponding detecting rules and integrated them into their capabilities, the detection result still did not meet the expectations. All useful findings unveiled in our comprehensive study indeed help to provide guidance on tool development, improvement, evaluation, and selection for developers, researchers, and potential users.

Similar Items