Brunel University Research Archive(BURA) preserves and enables easy and open access to all
types of digital content. It showcases Brunel's research outputs.
Research contained within BURA is open access, although some publications may be subject
to publisher imposed embargoes. All awarded PhD theses are also archived on BURA.
Please use this identifier to cite or link to this item:
http://bura.brunel.ac.uk/handle/2438/30373Full metadata record
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Bennett, G | - |
| dc.date.accessioned | 2024-12-24T12:43:33Z | - |
| dc.date.available | 2024-12-24T12:43:33Z | - |
| dc.date.issued | 2024-10-24 | - |
| dc.identifier | ORCiD: Tracy Hall https://orcid.org/0000-0002-2728-9014 | - |
| dc.identifier | ORCiD: Steve Counsell https://orcid.org/0000-0002-2939-8919 | - |
| dc.identifier | ORCiD: Thomas Shippey https://orcid.org/0000-0003-1890-3390 | - |
| dc.identifier.citation | Bennett, G. et al. (2024) 'Do Developers Use Static Application Security Testing (SAST) Tools Straight Out of the Box? A large-scale Empirical Study', ESEM '24: Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, Barcelona, Spain, 24-25 October, pp.454 - 460. doi: 10.1145/3674805. | en_US |
| dc.identifier.isbn | 9798400710476 | - |
| dc.identifier.uri | https://bura.brunel.ac.uk/handle/2438/30373 | - |
| dc.description.abstract | Static application Security Testing (SAST) tools are an established means of detecting vulnerabilities early in development. Previous studies have reported low detection rates from SAST tools and recommend either combining SAST tools or configuring rule sets to detect more vulnerabilities. However, while previous work suggests that developers rarely combine or configure any of the Automatic Static Analysis Tools (ASATs) they use, it is currently unclear whether SAST tools are used directly “out of the box”. To understand how developers use SAST tools, we performed a large-scale survey involving 1,263 developers. We pre-screened developers to establish their SAST use and found that only 20% (204/1,003) used SAST tools. Of those developers who did use SAST tools, we found a large number did not use multiple tools (59%), did not configure tools (54%) or did neither (40%). Our results suggest that more work is needed to help developers combine and configure tools, since doing so is likely to detect significantly more vulnerabilities. | en_US |
| dc.format.medium | Electronic | - |
| dc.language.iso | en_US | en_US |
| dc.publisher | Association for Computing Machinery (ACM) | en_US |
| dc.rights | Attribution 4.0 International | - |
| dc.rights.uri | https://creativecommons.org/licenses/by/4.0/ | - |
| dc.source | ESEM '24: Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement | - |
| dc.source | ESEM '24: Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement | - |
| dc.subject | static analysis | en_US |
| dc.subject | survey | en_US |
| dc.subject | vulnerability detection | en_US |
| dc.title | Do Developers Use Static Application Security Testing (SAST) Tools Straight Out of the Box? A large-scale Empirical Study | en_US |
| dc.type | Conference Paper | en_US |
| dc.date.dateAccepted | 2024-07-17 | - |
| dc.identifier.doi | https://doi.org/10.1145/3674805 | - |
| pubs.publication-status | Published | - |
| dc.rights.license | https://creativecommons.org/licenses/by/4.0/legalcode.en | - |
| dc.rights.holder | Owner/Author | - |
| Appears in Collections: | Dept of Computer Science Research Papers | |
Files in This Item:
| File | Description | Size | Format | |
|---|---|---|---|---|
| FullText.pdf | Copyright © 2024 Owner/Author. This work is licensed under a Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). | 469.75 kB | Adobe PDF | View/Open |
This item is licensed under a Creative Commons License
