On improving the adoption, usability, and retention of static application security testing (SAST) tools

Abstract

As the Internet connects our world ever closer and propels human progress toward new frontiers, it also exposes us to new and unforeseen dangers. Now that the majority of humanity is connected to the Internet, bad actors can potentially reach millions of people with the press of a button. With software being the primary medium on which the Internet is used, and with many Internet security breaches resulting from code vulnerabilities, a level of security is necessitated. The responsibility of securing these applications falls on the software developers. Fortunately, a variety of tools and techniques exist to assist developers in identifying and resolving software vulnerabilities. Static Application Security Testing (SAST), one of these tools, employs automated analysis techniques to meticulously examine an application's source code. This examination occurs early in the development process, even before the code is functional. SAST tools pinpoint potential security weaknesses within the code's structure, highlighting areas where malicious actors might exploit vulnerabilities. By identifying these risks early on, SAST tools allow developers to proactively address security concerns and build more robust applications. Despite these benefits, SAST tools are far from perfect. Our research focuses on challenges developers encounter when using these tools, with the overarching goal being to improve its usability. We first present a literature review that examines 89 works of research relating to the implementation and continued usage of SAST. Through this review, we uncovered various problems developers had with SAST. Some of these, such as false positives, which are security warnings that identify a potential vulnerability that doesn't actually exist in the code, were mentioned in a majority of the 89 papers we reviewed. The second manuscript details a process for automating the execution SAST tool output with a focus on presenting the data in a format that is meaningful and actionable to developers. This includes a real world use case example that provided feedback on an implementation of our process. Developers indicated satisfaction with many aspects of the process and conveyed that it made them more willing to use the SAST tool.