Comparison and evaluation on Static Application Security Testing (SAST) tools for Java
Static application security testing (SAST) takes a significant role in the software development life cycle (SDLC). However, it is challenging to comprehensively evaluate the effectiveness of SAST tools to determine which is the better one for detecting vulnerabilities. In this paper, based on well-d...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2023
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/8976 https://ink.library.smu.edu.sg/context/sis_research/article/9979/viewcontent/fse2023_sast_pv.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-9979 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-99792024-07-25T08:34:42Z Comparison and evaluation on Static Application Security Testing (SAST) tools for Java LI, Kaixuan CHEN, Sen FAN, Lingling FENG, Ruitao LIU, Han LIU, Chengwei LIU, Yang CHEN, Yixiang Static application security testing (SAST) takes a significant role in the software development life cycle (SDLC). However, it is challenging to comprehensively evaluate the effectiveness of SAST tools to determine which is the better one for detecting vulnerabilities. In this paper, based on well-defined criteria, we first selected seven free or open-source SAST tools from 161 existing tools for further evaluation. Owing to the synthetic and newly-constructed real-world benchmarks, we evaluated and compared these SAST tools from different and comprehensive perspectives such as effectiveness, consistency, and performance. While SAST tools perform well on synthetic benchmarks, our results indicate that only 12.7% of real-world vulnerabilities can be detected by the selected tools. Even combining the detection capability of all tools, most vulnerabilities (70.9%) remain undetected, especially those beyond resource control and insufficiently neutralized input/output vulnerabilities. The fact is that although they have already built the corresponding detecting rules and integrated them into their capabilities, the detection result still did not meet the expectations. All useful findings unveiled in our comprehensive study indeed help to provide guidance on tool development, improvement, evaluation, and selection for developers, researchers, and potential users. 2023-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/8976 info:doi/10.1145/3611643.3616262 https://ink.library.smu.edu.sg/context/sis_research/article/9979/viewcontent/fse2023_sast_pv.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Benchmarks Empirical study Static application security testing Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Benchmarks Empirical study Static application security testing Information Security |
| spellingShingle |
Benchmarks Empirical study Static application security testing Information Security LI, Kaixuan CHEN, Sen FAN, Lingling FENG, Ruitao LIU, Han LIU, Chengwei LIU, Yang CHEN, Yixiang Comparison and evaluation on Static Application Security Testing (SAST) tools for Java |
| description |
Static application security testing (SAST) takes a significant role in the software development life cycle (SDLC). However, it is challenging to comprehensively evaluate the effectiveness of SAST tools to determine which is the better one for detecting vulnerabilities. In this paper, based on well-defined criteria, we first selected seven free or open-source SAST tools from 161 existing tools for further evaluation. Owing to the synthetic and newly-constructed real-world benchmarks, we evaluated and compared these SAST tools from different and comprehensive perspectives such as effectiveness, consistency, and performance. While SAST tools perform well on synthetic benchmarks, our results indicate that only 12.7% of real-world vulnerabilities can be detected by the selected tools. Even combining the detection capability of all tools, most vulnerabilities (70.9%) remain undetected, especially those beyond resource control and insufficiently neutralized input/output vulnerabilities. The fact is that although they have already built the corresponding detecting rules and integrated them into their capabilities, the detection result still did not meet the expectations. All useful findings unveiled in our comprehensive study indeed help to provide guidance on tool development, improvement, evaluation, and selection for developers, researchers, and potential users. |
| format |
text |
| author |
LI, Kaixuan CHEN, Sen FAN, Lingling FENG, Ruitao LIU, Han LIU, Chengwei LIU, Yang CHEN, Yixiang |
| author_facet |
LI, Kaixuan CHEN, Sen FAN, Lingling FENG, Ruitao LIU, Han LIU, Chengwei LIU, Yang CHEN, Yixiang |
| author_sort |
LI, Kaixuan |
| title |
Comparison and evaluation on Static Application Security Testing (SAST) tools for Java |
| title_short |
Comparison and evaluation on Static Application Security Testing (SAST) tools for Java |
| title_full |
Comparison and evaluation on Static Application Security Testing (SAST) tools for Java |
| title_fullStr |
Comparison and evaluation on Static Application Security Testing (SAST) tools for Java |
| title_full_unstemmed |
Comparison and evaluation on Static Application Security Testing (SAST) tools for Java |
| title_sort |
comparison and evaluation on static application security testing (sast) tools for java |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2023 |
| url |
https://ink.library.smu.edu.sg/sis_research/8976 https://ink.library.smu.edu.sg/context/sis_research/article/9979/viewcontent/fse2023_sast_pv.pdf |
| _version_ |
1814047698658000896 |