| dc.contributor.author | Beba, Sindre | |
| dc.contributor.author | Karlsen, Magnus Melseth | |
| dc.contributor.author | Li, Jingyue | |
| dc.contributor.author | Zhang, Bing | |
| dc.date.accessioned | 2022-03-07T14:31:56Z | |
| dc.date.available | 2022-03-07T14:31:56Z | |
| dc.date.created | 2021-12-27T12:04:29Z | |
| dc.date.issued | 2021 | |
| dc.identifier.isbn | 978-1-6654-3784-4 | |
| dc.identifier.uri | https://hdl.handle.net/11250/2983535 | |
| dc.description.abstract | Integrated development environment (IDE) plugins aimed at detecting web application security vulnerabilities can help developers create secure applications in the first place. Most of such IDE plugins use static source code analysis approaches. Although several empirical studies evaluated the plugins and compared their precision and recall of detecting web application security, few follow-up studies tried to understand the evaluation results. We analyzed more than 20,000 vulnerability reports based on 7,215 distinct test cases spanning 11 categories of web application vulnerabilities to understand the evaluation results of three open-source IDE plugins, namely, SpotBugs, FindSecBugs, and Early Security Vulnerability Detector (ESVD), which aimed at detecting security vulnerabilities of Java-based web applications. Our results identify many factors besides the source code analysis approach that can dramatically bias the detection performance. Based on our insights, we improved the studied plugins. In addition, our study raises the alarm that, without solid root cause analyses, the evaluation and comparisons of security vulnerability detection approaches and tools could be misleading. Thus, we proposed a guideline on reporting the evaluation results of the security vulnerability detection approaches. | en_US |
| dc.language.iso | eng | en_US |
| dc.publisher | Institute of Electrical and Electronics Engineers (IEEE) | en_US |
| dc.relation.ispartof | Proceedings of the 28th Asia-Pacific Software Engineering Conference (APSEC 2021) | |
| dc.title | Critical Understanding of Security Vulnerability Detection Plugin Evaluation Reports | en_US |
| dc.type | Chapter | en_US |
| dc.description.version | submittedVersion | en_US |
| dc.rights.holder | © IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. | en_US |
| dc.identifier.doi | 10.1109/APSEC53868.2021.00035 | |
| dc.identifier.cristin | 1972187 | |
| cristin.ispublished | true | |
| cristin.fulltext | preprint | |
| cristin.qualitycode | 1 | |
