1. Brunel University Research Archive
  2. College of Engineering, Design and Physical Sciences
  3. Dept of Computer Science
  4. Dept of Computer Science Research Papers
Please use this identifier to cite or link to this item: http://bura.brunel.ac.uk/handle/2438/30374
Full metadata record
DC FieldValueLanguage
dc.contributor.authorBennett, G-
dc.contributor.authorHall, T-
dc.contributor.authorWinter, E-
dc.contributor.authorCounsell, S-
dc.coverage.spatialSalerno, Italy-
dc.date.accessioned2024-12-24T13:09:57Z-
dc.date.available2024-12-24T13:09:57Z-
dc.date.issued2024-06-18-
dc.identifierORCiD: Tracy Hall https://orcid.org/0000-0002-2728-9014-
dc.identifierORCiD: Steve Counsell https://orcid.org/0000-0002-2939-8919-
dc.identifier.citationBennett, G. et al. (2024) 'Semgrep∗: Improving the Limited Performance of Static Application Security Testing (SAST) Tools', EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering, 2024, pp. 614 - 623. doi: 10.1145/3661167.3661262.en_US
dc.identifier.isbn9798400717017-
dc.identifier.urihttps://bura.brunel.ac.uk/handle/2438/30374-
dc.description.abstractVulnerabilities in code should be detected and patched quickly to reduce the time in which they can be exploited. There are many automated approaches to assist developers in detecting vulnerabilities, most notably Static Application Security Testing (SAST) tools. However, no single tool detects all vulnerabilities and so relying on any one tool may leave vulnerabilities dormant in code. In this study, we use a manually curated dataset to evaluate four SAST tools on production code with known vulnerabilities. Our results show that the vulnerability detection rates of individual tools range from 11.2% to 26.5%, but combining these four tools can detect 38.8% of vulnerabilities. We investigate why SAST tools are unable to detect 61.2% of vulnerabilities and identify missing vulnerable code patterns from tool rule sets. Based on our findings, we create new rules for Semgrep, a popular configurable SAST tool. Our newly configured Semgrep tool detects 44.7% of vulnerabilities, more than using a combination of tools, and a 181% improvement in Semgrep’s detection rate.en_US
dc.format.extent614 - 623-
dc.format.mediumElectronic-
dc.languageen-
dc.language.isoen_USen_US
dc.publisherAssociation for Computing Machinery (ACM)en_US
dc.rightsAttribution 4.0 International-
dc.rights.urihttps://creativecommons.org/licenses/by/4.0/-
dc.source28th International Conference on Evaluation and Assessment in Software Engineering (EASE '24)-
dc.source28th International Conference on Evaluation and Assessment in Software Engineering (EASE '24)-
dc.titleSemgrep∗: Improving the Limited Performance of Static Application Security Testing (SAST) Toolsen_US
dc.typeConference Paperen_US
dc.date.dateAccepted2024-03-06-
dc.identifier.doihttps://doi.org/10.1145/3661167.3661262-
dc.relation.isPartOfEASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering-
pubs.finish-date2024-06-21-
pubs.finish-date2024-06-21-
pubs.publication-statusPublished-
pubs.start-date2024-06-18-
pubs.start-date2024-06-18-
dc.rights.licensehttps://creativecommons.org/licenses/by/4.0/legalcode.en-
dc.rights.holderOwner/Author-
Appears in Collections:Dept of Computer Science Research Papers

Files in This Item:
File Description SizeFormat 
FullText.pdfCopyright © 2024 Owner/Author. This work is licensed under a Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/).526.59 kBAdobe PDFView/Open
Show simple item record


This item is licensed under a Creative Commons License Creative Commons