We propose a novel methodology that allows automatic construction of benchmarks for Static Analysis Security Testing (SAST) tools based on real-world software projects by differencing vulnerable and fixed versions in FOSS repositories. The methodology allows us to evaluate “actual” performance of SAST tools (without unrelated alarms). To test our approach, we benchmarked 7 SAST tools (although we report only results for the two best tools), against 70 revisions of four major versions of Apache Tomcat with 62 distinct CVEs as the source of ground truth vulnerabilities.
FOSS version differentiation as a benchmark for static analysis security testing tools / Pashchenko, Ivan. - 130154:(2017), pp. 1056-1058. (Intervento presentato al convegno 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE 2017 tenutosi a deu nel 2017) [10.1145/3106237.3121276].
FOSS version differentiation as a benchmark for static analysis security testing tools
Pashchenko, Ivan
2017-01-01
Abstract
We propose a novel methodology that allows automatic construction of benchmarks for Static Analysis Security Testing (SAST) tools based on real-world software projects by differencing vulnerable and fixed versions in FOSS repositories. The methodology allows us to evaluate “actual” performance of SAST tools (without unrelated alarms). To test our approach, we benchmarked 7 SAST tools (although we report only results for the two best tools), against 70 revisions of four major versions of Apache Tomcat with 62 distinct CVEs as the source of ground truth vulnerabilities.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
