[{"type":"conference","citation":{"bibtex":"@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis Approach for Data Protection}, booktitle={Proceedings of the 9th International Conference on Mobile Software Engineering and Systems}, author={Khedkar, Mugdha and Bodden, Eric}, year={2024} }","mla":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024.","chicago":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” In Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024.","ama":"Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection. In: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. ; 2024.","apa":"Khedkar, M., & Bodden, E. (2024). Toward an Android Static Analysis Approach for Data Protection. Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal.","ieee":"M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for Data Protection,” presented at the 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal, 2024.","short":"M. Khedkar, E. Bodden, in: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024."},"year":"2024","conference":{"name":"9th International Conference on Mobile Software Engineering and Systems 2024","start_date":"2024-04-14","location":"Lisbon, Portugal","end_date":"2024-04-15"},"_id":"52235","publication":"Proceedings of the 9th International Conference on Mobile Software Engineering and Systems","keyword":["static program analysis","data protection and privacy","GDPR compliance"],"file_date_updated":"2024-03-03T14:39:08Z","author":[{"last_name":"Khedkar","id":"88024","first_name":"Mugdha","full_name":"Khedkar, Mugdha"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"file":[{"date_updated":"2024-03-03T14:39:08Z","content_type":"application/pdf","relation":"main_file","success":1,"file_size":530812,"file_id":"52236","creator":"khedkarm","access_level":"closed","file_name":"2402.07889v1.pdf","date_created":"2024-03-03T14:39:08Z"}],"date_created":"2024-03-03T14:37:53Z","has_accepted_license":"1","status":"public","abstract":[{"text":"Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process.\r\nThis paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. ","lang":"eng"}],"ddc":["006"],"user_id":"88024","language":[{"iso":"eng"}],"date_updated":"2024-03-06T13:00:38Z","department":[{"_id":"76"}],"external_id":{"arxiv":["2402.07889"]},"title":"Toward an Android Static Analysis Approach for Data Protection"},{"_id":"52587","intvolume":" 22","issue":"1","year":"2024","type":"journal_article","citation":{"mla":"Bodden, Eric, et al. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy, vol. 22, no. 1, Institute of Electrical and Electronics Engineers (IEEE), 2024, pp. 69–72, doi:10.1109/msec.2023.3336028.","bibtex":"@article{Bodden_Pottebaum_Fockel_Gräßler_2024, title={Evaluating Security Through Isolation and Defense in Depth}, volume={22}, DOI={10.1109/msec.2023.3336028}, number={1}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Bodden, Eric and Pottebaum, Jens and Fockel, Markus and Gräßler, Iris}, year={2024}, pages={69–72} }","ama":"Bodden E, Pottebaum J, Fockel M, Gräßler I. Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy. 2024;22(1):69-72. doi:10.1109/msec.2023.3336028","apa":"Bodden, E., Pottebaum, J., Fockel, M., & Gräßler, I. (2024). Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy, 22(1), 69–72. https://doi.org/10.1109/msec.2023.3336028","chicago":"Bodden, Eric, Jens Pottebaum, Markus Fockel, and Iris Gräßler. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy 22, no. 1 (2024): 69–72. https://doi.org/10.1109/msec.2023.3336028.","ieee":"E. Bodden, J. Pottebaum, M. Fockel, and I. Gräßler, “Evaluating Security Through Isolation and Defense in Depth,” IEEE Security & Privacy, vol. 22, no. 1, pp. 69–72, 2024, doi: 10.1109/msec.2023.3336028.","short":"E. Bodden, J. Pottebaum, M. Fockel, I. Gräßler, IEEE Security & Privacy 22 (2024) 69–72."},"page":"69-72","user_id":"405","author":[{"full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric","id":"59256","last_name":"Bodden"},{"last_name":"Pottebaum","id":"405","first_name":"Jens","orcid":"http://orcid.org/0000-0001-8778-2989","full_name":"Pottebaum, Jens"},{"last_name":"Fockel","first_name":"Markus","full_name":"Fockel, Markus"},{"id":"47565","last_name":"Gräßler","orcid":"0000-0001-5765-971X","full_name":"Gräßler, Iris","first_name":"Iris"}],"quality_controlled":"1","publisher":"Institute of Electrical and Electronics Engineers (IEEE)","publication":"IEEE Security & Privacy","keyword":["Law","Electrical and Electronic Engineering","Computer Networks and Communications"],"status":"public","date_created":"2024-03-15T20:16:18Z","volume":22,"date_updated":"2024-03-15T20:25:13Z","doi":"10.1109/msec.2023.3336028","language":[{"iso":"eng"}],"title":"Evaluating Security Through Isolation and Defense in Depth","department":[{"_id":"152"},{"_id":"76"},{"_id":"241"}],"publication_status":"published","publication_identifier":{"issn":["1540-7993","1558-4046"]}},{"_id":"52663","date_updated":"2024-03-20T09:32:29Z","type":"misc","year":"2024","citation":{"ieee":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024.","short":"A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024.","mla":"Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024.","bibtex":"@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability}, author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }","apa":"Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden, E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.","ama":"Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.; 2024.","chicago":"Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024."},"language":[{"iso":"eng"}],"main_file_link":[{"url":"https://arxiv.org/abs/2403.07808"}],"title":"Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability","user_id":"32312","abstract":[{"lang":"eng","text":"Context\r\nStatic analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results.\r\nMethod\r\nTo address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains."}],"date_created":"2024-03-20T09:28:36Z","status":"public","department":[{"_id":"76"}],"keyword":["Static analysis","error chains","false positive re- duction","empirical studies"],"author":[{"last_name":"Wickert","full_name":"Wickert, Anna-Katharina","first_name":"Anna-Katharina"},{"first_name":"Michael","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","last_name":"Schlichtig","id":"32312"},{"last_name":"Vogel","full_name":"Vogel, Marvin","first_name":"Marvin"},{"full_name":"Winter, Lukas","first_name":"Lukas","last_name":"Winter"},{"full_name":"Mezini, Mira","first_name":"Mira","last_name":"Mezini"},{"last_name":"Bodden","id":"59256","first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric"}]},{"department":[{"_id":"76"}],"author":[{"first_name":"Andreas Peter","full_name":"Dann, Andreas Peter","last_name":"Dann","id":"26886"},{"first_name":"Ben","orcid":"0000-0001-9848-2017","full_name":"Hermann, Ben","last_name":"Hermann","id":"66173"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","last_name":"Bodden","id":"59256"}],"date_created":"2023-01-02T09:26:50Z","status":"public","user_id":"15249","title":"UpCy: Safely Updating Outdated Dependencies","series_title":"International Conference on Software Engineering (ICSE)","language":[{"iso":"eng"}],"citation":{"ieee":"A. P. Dann, B. Hermann, and E. Bodden, “UpCy: Safely Updating Outdated Dependencies.” 2023.","short":"A.P. Dann, B. Hermann, E. Bodden, (2023).","mla":"Dann, Andreas Peter, et al. UpCy: Safely Updating Outdated Dependencies. 2023.","bibtex":"@article{Dann_Hermann_Bodden_2023, series={International Conference on Software Engineering (ICSE)}, title={UpCy: Safely Updating Outdated Dependencies}, author={Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}, year={2023}, collection={International Conference on Software Engineering (ICSE)} }","chicago":"Dann, Andreas Peter, Ben Hermann, and Eric Bodden. “UpCy: Safely Updating Outdated Dependencies.” International Conference on Software Engineering (ICSE), 2023.","ama":"Dann AP, Hermann B, Bodden E. UpCy: Safely Updating Outdated Dependencies. Published online 2023.","apa":"Dann, A. P., Hermann, B., & Bodden, E. (2023). UpCy: Safely Updating Outdated Dependencies."},"type":"conference","year":"2023","date_updated":"2023-01-02T09:28:32Z","_id":"35083"},{"user_id":"15249","title":"Model Generation For Java Frameworks","status":"public","date_created":"2023-02-06T10:37:23Z","author":[{"last_name":"Luo","full_name":"Luo, Linghui","first_name":"Linghui"},{"full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838","first_name":"Goran","id":"41936","last_name":"Piskachev"},{"full_name":"Krishnamurthy, Ranjith","orcid":"0000-0002-0906-5463","first_name":"Ranjith","id":"78060","last_name":"Krishnamurthy"},{"last_name":"Dolby","first_name":"Julian","full_name":"Dolby, Julian"},{"full_name":"Schäf, Martin","first_name":"Martin","last_name":"Schäf"},{"id":"59256","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric"}],"publication":"IEEE International Conference on Software Testing, Verification and Validation (ICST)","department":[{"_id":"76"},{"_id":"662"}],"date_updated":"2023-02-06T10:42:29Z","_id":"41812","language":[{"iso":"eng"}],"citation":{"bibtex":"@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model Generation For Java Frameworks}, booktitle={IEEE International Conference on Software Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev, Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden, Eric}, year={2023} }","mla":"Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.","chicago":"Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.","ama":"Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation For Java Frameworks. In: IEEE International Conference on Software Testing, Verification and Validation (ICST). ; 2023.","apa":"Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden, E. (2023). Model Generation For Java Frameworks. IEEE International Conference on Software Testing, Verification and Validation (ICST).","ieee":"L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden, “Model Generation For Java Frameworks,” 2023.","short":"L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in: IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023."},"year":"2023","type":"conference"},{"_id":"41813","date_updated":"2023-02-06T10:46:00Z","year":"2023","citation":{"ieee":"A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis,” 2023.","short":"A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.","mla":"Shivarpatna Venkatesh, Ashwin Prasad, et al. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.","bibtex":"@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, booktitle={IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden, Eric}, year={2023} }","chicago":"Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” In IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.","apa":"Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER).","ama":"Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2023."},"type":"conference","language":[{"iso":"eng"}],"title":"Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis","user_id":"15249","status":"public","date_created":"2023-02-06T10:44:08Z","author":[{"last_name":"Shivarpatna Venkatesh","id":"66637","first_name":"Ashwin Prasad","full_name":"Shivarpatna Venkatesh, Ashwin Prasad"},{"first_name":"Jiawei","full_name":"Wang, Jiawei","last_name":"Wang"},{"full_name":"Li, Li","first_name":"Li","last_name":"Li"},{"last_name":"Bodden","id":"59256","first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647"}],"publication":"IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","department":[{"_id":"76"}]},{"title":"Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis","user_id":"70410","publisher":"IEEE","author":[{"first_name":"Kadiray","full_name":"Karakaya, Kadiray","last_name":"Karakaya"},{"last_name":"Bodden","full_name":"Bodden, Eric","first_name":"Eric"}],"publication":"2023 IEEE Conference on Software Testing, Verification and Validation (ICST)","department":[{"_id":"76"}],"publication_status":"published","status":"public","date_created":"2023-05-29T12:09:43Z","_id":"45312","date_updated":"2023-05-29T12:12:17Z","doi":"10.1109/icst57152.2023.00036","citation":{"mla":"Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis.” 2023 IEEE Conference on Software Testing, Verification and Validation (ICST), IEEE, 2023, doi:10.1109/icst57152.2023.00036.","bibtex":"@inproceedings{Karakaya_Bodden_2023, title={Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis}, DOI={10.1109/icst57152.2023.00036}, booktitle={2023 IEEE Conference on Software Testing, Verification and Validation (ICST)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2023} }","ama":"Karakaya K, Bodden E. Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis. In: 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE; 2023. doi:10.1109/icst57152.2023.00036","apa":"Karakaya, K., & Bodden, E. (2023). Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis. 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). https://doi.org/10.1109/icst57152.2023.00036","chicago":"Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis.” In 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE, 2023. https://doi.org/10.1109/icst57152.2023.00036.","ieee":"K. Karakaya and E. Bodden, “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis,” 2023, doi: 10.1109/icst57152.2023.00036.","short":"K. Karakaya, E. Bodden, in: 2023 IEEE Conference on Software Testing, Verification and Validation (ICST), IEEE, 2023."},"year":"2023","type":"conference"},{"title":"Runtime Verification of Crypto APIs: An Empirical Study","department":[{"_id":"76"}],"publication_status":"published","publication_identifier":{"issn":["0098-5589","1939-3520","2326-3881"]},"date_updated":"2023-12-04T11:05:26Z","doi":"10.1109/tse.2023.3301660","language":[{"iso":"eng"}],"user_id":"15249","publication":"IEEE Transactions on Software Engineering","keyword":["Software"],"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","author":[{"full_name":"Torres, Adriano","first_name":"Adriano","last_name":"Torres"},{"last_name":"Costa","full_name":"Costa, Pedro","first_name":"Pedro"},{"last_name":"Amaral","full_name":"Amaral, Luis","first_name":"Luis"},{"last_name":"Pastro","full_name":"Pastro, Jonata","first_name":"Jonata"},{"first_name":"Rodrigo","full_name":"Bonifácio, Rodrigo","last_name":"Bonifácio"},{"full_name":"d'Amorim, Marcelo","first_name":"Marcelo","last_name":"d'Amorim"},{"last_name":"Legunsen","first_name":"Owolabi","full_name":"Legunsen, Owolabi"},{"full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","first_name":"Eric","id":"59256","last_name":"Bodden"},{"first_name":"Edna","full_name":"Dias Canedo, Edna","last_name":"Dias Canedo"}],"date_created":"2023-09-06T07:42:40Z","status":"public","volume":49,"intvolume":" 49","_id":"46816","issue":"10","page":"4510 - 4525","year":"2023","citation":{"ieee":"A. Torres et al., “Runtime Verification of Crypto APIs: An Empirical Study,” IEEE Transactions on Software Engineering, vol. 49, no. 10, pp. 4510–4525, 2023, doi: 10.1109/tse.2023.3301660.","short":"A. Torres, P. Costa, L. Amaral, J. Pastro, R. Bonifácio, M. d’Amorim, O. Legunsen, E. Bodden, E. Dias Canedo, IEEE Transactions on Software Engineering 49 (2023) 4510–4525.","mla":"Torres, Adriano, et al. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering, vol. 49, no. 10, Institute of Electrical and Electronics Engineers (IEEE), 2023, pp. 4510–25, doi:10.1109/tse.2023.3301660.","bibtex":"@article{Torres_Costa_Amaral_Pastro_Bonifácio_d’Amorim_Legunsen_Bodden_Dias Canedo_2023, title={Runtime Verification of Crypto APIs: An Empirical Study}, volume={49}, DOI={10.1109/tse.2023.3301660}, number={10}, journal={IEEE Transactions on Software Engineering}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Torres, Adriano and Costa, Pedro and Amaral, Luis and Pastro, Jonata and Bonifácio, Rodrigo and d’Amorim, Marcelo and Legunsen, Owolabi and Bodden, Eric and Dias Canedo, Edna}, year={2023}, pages={4510–4525} }","apa":"Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M., Legunsen, O., Bodden, E., & Dias Canedo, E. (2023). Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering, 49(10), 4510–4525. https://doi.org/10.1109/tse.2023.3301660","ama":"Torres A, Costa P, Amaral L, et al. Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering. 2023;49(10):4510-4525. doi:10.1109/tse.2023.3301660","chicago":"Torres, Adriano, Pedro Costa, Luis Amaral, Jonata Pastro, Rodrigo Bonifácio, Marcelo d’Amorim, Owolabi Legunsen, Eric Bodden, and Edna Dias Canedo. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering 49, no. 10 (2023): 4510–25. https://doi.org/10.1109/tse.2023.3301660."},"type":"journal_article"},{"date_updated":"2023-12-04T11:29:49Z","doi":"10.1007/s10664-023-10354-3","language":[{"iso":"eng"}],"title":"Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study","department":[{"_id":"76"},{"_id":"662"}],"publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published","_id":"49439","intvolume":" 28","issue":"5","article_number":"118","citation":{"bibtex":"@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study}, volume={28}, DOI={10.1007/s10664-023-10354-3}, number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden, Eric}, year={2023} }","mla":"Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC, 2023, doi:10.1007/s10664-023-10354-3.","chicago":"Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.","apa":"Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3","ama":"Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3","ieee":"G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study,” Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi: 10.1007/s10664-023-10354-3.","short":"G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023)."},"type":"journal_article","year":"2023","abstract":[{"lang":"eng","text":"AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope."}],"user_id":"15249","keyword":["Software"],"publication":"Empirical Software Engineering","publisher":"Springer Science and Business Media LLC","author":[{"last_name":"Piskachev","id":"41936","first_name":"Goran","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838"},{"id":"4870","last_name":"Becker","orcid":"https://orcid.org/0000-0003-2465-9347","full_name":"Becker, Matthias","first_name":"Matthias"},{"last_name":"Bodden","id":"59256","first_name":"Eric","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647"}],"date_created":"2023-12-04T11:14:34Z","status":"public","volume":28},{"status":"public","date_created":"2023-12-04T11:07:08Z","publication_status":"published","author":[{"last_name":"Krüger","first_name":"Stefan","full_name":"Krüger, Stefan"},{"full_name":"Reif, Michael","first_name":"Michael","last_name":"Reif"},{"first_name":"Anna-Katharina","full_name":"Wickert, Anna-Katharina","last_name":"Wickert"},{"last_name":"Nadi","first_name":"Sarah","full_name":"Nadi, Sarah"},{"first_name":"Karim","full_name":"Ali, Karim","last_name":"Ali"},{"orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","first_name":"Eric","id":"59256","last_name":"Bodden"},{"last_name":"Acar","id":"94636","first_name":"Yasemin","full_name":"Acar, Yasemin"},{"first_name":"Mira","full_name":"Mezini, Mira","last_name":"Mezini"},{"first_name":"Sascha","full_name":"Fahl, Sascha","last_name":"Fahl"}],"publisher":"IEEE","department":[{"_id":"76"},{"_id":"740"}],"publication":"2023 IEEE Secure Development Conference (SecDev)","user_id":"15249","title":"Securing Your Crypto-API Usage Through Tool Support - A Usability Study","language":[{"iso":"eng"}],"year":"2023","type":"conference","citation":{"bibtex":"@inproceedings{Krüger_Reif_Wickert_Nadi_Ali_Bodden_Acar_Mezini_Fahl_2023, title={Securing Your Crypto-API Usage Through Tool Support - A Usability Study}, DOI={10.1109/secdev56634.2023.00015}, booktitle={2023 IEEE Secure Development Conference (SecDev)}, publisher={IEEE}, author={Krüger, Stefan and Reif, Michael and Wickert, Anna-Katharina and Nadi, Sarah and Ali, Karim and Bodden, Eric and Acar, Yasemin and Mezini, Mira and Fahl, Sascha}, year={2023} }","mla":"Krüger, Stefan, et al. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023, doi:10.1109/secdev56634.2023.00015.","apa":"Krüger, S., Reif, M., Wickert, A.-K., Nadi, S., Ali, K., Bodden, E., Acar, Y., Mezini, M., & Fahl, S. (2023). Securing Your Crypto-API Usage Through Tool Support - A Usability Study. 2023 IEEE Secure Development Conference (SecDev). https://doi.org/10.1109/secdev56634.2023.00015","ama":"Krüger S, Reif M, Wickert A-K, et al. Securing Your Crypto-API Usage Through Tool Support - A Usability Study. In: 2023 IEEE Secure Development Conference (SecDev). IEEE; 2023. doi:10.1109/secdev56634.2023.00015","chicago":"Krüger, Stefan, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim Ali, Eric Bodden, Yasemin Acar, Mira Mezini, and Sascha Fahl. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” In 2023 IEEE Secure Development Conference (SecDev). IEEE, 2023. https://doi.org/10.1109/secdev56634.2023.00015.","ieee":"S. Krüger et al., “Securing Your Crypto-API Usage Through Tool Support - A Usability Study,” 2023, doi: 10.1109/secdev56634.2023.00015.","short":"S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar, M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023."},"doi":"10.1109/secdev56634.2023.00015","_id":"49438","date_updated":"2023-12-04T11:14:10Z"}]