Skip to main content
Springer Nature Link
Log in

Towards Immediate Feedback for Security Relevant Code in Development Environments

  • Conference paper
  • First Online:
Service-Oriented Computing (SummerSOC 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1603))

Included in the following conference series:

Abstract

Nowadays, the correct use of cryptography libraries is essential to ensure the necessary information security in different kinds of applications. A common practice in software development is the use of static application security testing (SAST) tools to analyze code regarding security vulnerabilities. Most of these tools are designed to run separately from development environments. Their results are extensive lists of security notifications, which software developers have to inspect manually in a time-consuming follow-up step. To support developers in their tasks of developing secure code, we present an approach for providing them with continuous immediate feedback of SAST tools in integrated development environments (IDEs). Our approach also considers the understandability of security notifications and aims for a user-centered approach that leverages developers’ feedback to build an adaptive system tailored to each individual developer.

This work is funded by the BMBF project CRITICALMATE (16KIS0995).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://bouncycastle.org.

  2. 2.

    https://www.sonarqube.org.

  3. 3.

    https://www.forschung-it-sicherheit-kommunikationssysteme.de/projekte/criticalmate.

  4. 4.

    https://web.archive.org/web/20210724231452/https://www.rigs-it.com/xanitizer/.

  5. 5.

    https://www.sonarqube.org.

  6. 6.

    https://spotbugs.github.io.

  7. 7.

    https://figshare.com/s/71d97832ae3b04e0ff1a.

  8. 8.

    https://rules.sonarsource.com.

  9. 9.

    https://github.com/rust-lang/rust-clippy.

  10. 10.

    https://rust-analyzer.github.io/.

  11. 11.

    https://www.eclipse.org/cognicrypt/documentation/codeanalysis.

  12. 12.

    https://find-sec-bugs.github.io.

References

  1. Alahmadi, B.A., Axon, L., Martinovic, I.: 99% false positives: a qualitative study of SOC analysts’ perspectives on security alarms. In: 31st USENIX Security Symposium (USENIX Security 2022), pp. 10–12. USENIX Association (2022)

    Google Scholar 

  2. Aloraini, B., Nagappan, M., German, D.M., Hayashi, S., Higo, Y.: An empirical study of security warnings from static application security testing tools. J. Syst. Softw. 158, 110427 (2019)

    Article  Google Scholar 

  3. Fernandez, R., Picard, R.: Signal processing for recognition of human frustration. In: Proceedings of the 1998 IEEE International Conference on Acoustics, Speech and Signal Processing, ICASSP 1998 (Cat. No. 98CH36181). vol. 6, pp. 3773–3776 (1998)

    Google Scholar 

  4. Iankoulova, I., Daneva, M.: Cloud computing security requirements: a systematic review. In: 2012 Sixth International Conference on Research Challenges in Information Science (RCIS), pp. 1–7. IEEE (2012)

    Google Scholar 

  5. Krüger, S., et al.: Cognicrypt: supporting developers in using cryptography. In: 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 931–936. IEEE (2017)

    Google Scholar 

  6. Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CRYSL: an extensible approach to validating the correct usage of cryptographic APIS. IEEE Trans. Softw. Eng. 47(11), 2382–2400 (2019)

    Article  Google Scholar 

  7. Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do java developers struggle with cryptography APIS? In: Proceedings of the 38th International Conference on Software Engineering, pp. 935–946 (2016)

    Google Scholar 

  8. Nguyen Quang Do, L., Wright, J., Ali, K.: Why do software developers use static analysis tools? a user-centered study of developer needs and motivations. IEEE Trans. Softw. Eng. 1 (2020)

    Google Scholar 

  9. Smith, J., Do, L.N.Q., Murphy-Hill, E.: Why can’t Johnny fix vulnerabilities: a usability evaluation of static analysis tools for security. In: Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), pp. 221–238 (2020)

    Google Scholar 

  10. Tahaei, M., Vaniea, K., Beznosov, K., Wolters, M.K.: Security notifications in static analysis tools: Developers’ attitudes, comprehension, and ability to act on them. In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pp. 1–17 (2021)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Software Engineering, University of Stuttgart, Universitätsstraße 38, 70569, Stuttgart, Germany

    Markus Haug, Ana Cristina Franco da Silva & Stefan Wagner

Authors
  1. Markus Haug
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ana Cristina Franco da Silva
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefan Wagner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markus Haug .

Editor information

Editors and Affiliations

  1. University of Stuttgart, Stuttgart, Germany

    Johanna Barzen

  2. University of Stuttgart, Stuttgart, Germany

    Frank Leymann

  3. TU Wien, Vienna, Austria

    Schahram Dustdar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Haug, M., da Silva, A.C.F., Wagner, S. (2022). Towards Immediate Feedback for Security Relevant Code in Development Environments. In: Barzen, J., Leymann, F., Dustdar, S. (eds) Service-Oriented Computing. SummerSOC 2022. Communications in Computer and Information Science, vol 1603. Springer, Cham. https://doi.org/10.1007/978-3-031-18304-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-18304-1_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-18303-4

  • Online ISBN: 978-3-031-18304-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics