--- _id: '52235' abstract: - lang: eng text: "Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process.\r\nThis paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. " author: - first_name: Mugdha full_name: Khedkar, Mugdha id: '88024' last_name: Khedkar - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection. In: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. ; 2024.' apa: Khedkar, M., & Bodden, E. (2024). Toward an Android Static Analysis Approach for Data Protection. Proceedings of the 9th International Conference on Mobile Software Engineering and Systems. 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal. bibtex: '@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis Approach for Data Protection}, booktitle={Proceedings of the 9th International Conference on Mobile Software Engineering and Systems}, author={Khedkar, Mugdha and Bodden, Eric}, year={2024} }' chicago: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” In Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024. ieee: M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for Data Protection,” presented at the 9th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal, 2024. mla: Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024. short: 'M. Khedkar, E. Bodden, in: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems, 2024.' conference: end_date: 2024-04-15 location: Lisbon, Portugal name: 9th International Conference on Mobile Software Engineering and Systems 2024 start_date: 2024-04-14 date_created: 2024-03-03T14:37:53Z date_updated: 2024-03-06T13:00:38Z ddc: - '006' department: - _id: '76' external_id: arxiv: - '2402.07889' file: - access_level: closed content_type: application/pdf creator: khedkarm date_created: 2024-03-03T14:39:08Z date_updated: 2024-03-03T14:39:08Z file_id: '52236' file_name: 2402.07889v1.pdf file_size: 530812 relation: main_file success: 1 file_date_updated: 2024-03-03T14:39:08Z has_accepted_license: '1' keyword: - static program analysis - data protection and privacy - GDPR compliance language: - iso: eng license: https://creativecommons.org/licenses/by/4.0/ publication: Proceedings of the 9th International Conference on Mobile Software Engineering and Systems status: public title: Toward an Android Static Analysis Approach for Data Protection type: conference user_id: '88024' year: '2024' ... --- _id: '52587' author: - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Jens full_name: Pottebaum, Jens id: '405' last_name: Pottebaum orcid: http://orcid.org/0000-0001-8778-2989 - first_name: Markus full_name: Fockel, Markus last_name: Fockel - first_name: Iris full_name: Gräßler, Iris id: '47565' last_name: Gräßler orcid: 0000-0001-5765-971X citation: ama: Bodden E, Pottebaum J, Fockel M, Gräßler I. Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy. 2024;22(1):69-72. doi:10.1109/msec.2023.3336028 apa: Bodden, E., Pottebaum, J., Fockel, M., & Gräßler, I. (2024). Evaluating Security Through Isolation and Defense in Depth. IEEE Security & Privacy, 22(1), 69–72. https://doi.org/10.1109/msec.2023.3336028 bibtex: '@article{Bodden_Pottebaum_Fockel_Gräßler_2024, title={Evaluating Security Through Isolation and Defense in Depth}, volume={22}, DOI={10.1109/msec.2023.3336028}, number={1}, journal={IEEE Security & Privacy}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Bodden, Eric and Pottebaum, Jens and Fockel, Markus and Gräßler, Iris}, year={2024}, pages={69–72} }' chicago: 'Bodden, Eric, Jens Pottebaum, Markus Fockel, and Iris Gräßler. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy 22, no. 1 (2024): 69–72. https://doi.org/10.1109/msec.2023.3336028.' ieee: 'E. Bodden, J. Pottebaum, M. Fockel, and I. Gräßler, “Evaluating Security Through Isolation and Defense in Depth,” IEEE Security & Privacy, vol. 22, no. 1, pp. 69–72, 2024, doi: 10.1109/msec.2023.3336028.' mla: Bodden, Eric, et al. “Evaluating Security Through Isolation and Defense in Depth.” IEEE Security & Privacy, vol. 22, no. 1, Institute of Electrical and Electronics Engineers (IEEE), 2024, pp. 69–72, doi:10.1109/msec.2023.3336028. short: E. Bodden, J. Pottebaum, M. Fockel, I. Gräßler, IEEE Security & Privacy 22 (2024) 69–72. date_created: 2024-03-15T20:16:18Z date_updated: 2024-03-15T20:25:13Z department: - _id: '152' - _id: '76' - _id: '241' doi: 10.1109/msec.2023.3336028 intvolume: ' 22' issue: '1' keyword: - Law - Electrical and Electronic Engineering - Computer Networks and Communications language: - iso: eng page: 69-72 publication: IEEE Security & Privacy publication_identifier: issn: - 1540-7993 - 1558-4046 publication_status: published publisher: Institute of Electrical and Electronics Engineers (IEEE) quality_controlled: '1' status: public title: Evaluating Security Through Isolation and Defense in Depth type: journal_article user_id: '405' volume: 22 year: '2024' ... --- _id: '52663' abstract: - lang: eng text: "Context\r\nStatic analyses are well-established to aid in understanding bugs or vulnerabilities during the development process or in large-scale studies. A low false-positive rate is essential for the adaption in practice and for precise results of empirical studies. Unfortunately, static analyses tend to report where a vulnerability manifests rather than the fix location. This can cause presumed false positives or imprecise results.\r\nMethod\r\nTo address this problem, we designed an adaption of an existing static analysis algorithm that can distinguish between a manifestation and fix location, and reports error chains. An error chain represents at least two interconnected errors that occur successively, thus building the connection between the fix and manifestation location. We used our tool CogniCryptSUBS for a case study on 471 GitHub repositories, a performance benchmark to compare different analysis configurations, and conducted an expert interview.\r\nResult\r\nWe found that 50 % of the projects with a report had at least one error chain. Our runtime benchmark demonstrated that our improvement caused only a minimal runtime overhead of less than 4 %. The results of our expert interview indicate that with our adapted version participants require fewer executions of the analysis.\r\nConclusion\r\nOur results indicate that error chains occur frequently in real-world projects, and ignoring them can lead to imprecise evaluation results. The runtime benchmark indicates that our tool is a feasible and efficient solution for detecting error chains in real-world projects. Further, our results gave a hint that the usability of static analyses may benefit from supporting error chains." author: - first_name: Anna-Katharina full_name: Wickert, Anna-Katharina last_name: Wickert - first_name: Michael full_name: Schlichtig, Michael id: '32312' last_name: Schlichtig orcid: 0000-0001-6600-6171 - first_name: Marvin full_name: Vogel, Marvin last_name: Vogel - first_name: Lukas full_name: Winter, Lukas last_name: Winter - first_name: Mira full_name: Mezini, Mira last_name: Mezini - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: Wickert A-K, Schlichtig M, Vogel M, Winter L, Mezini M, Bodden E. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability.; 2024. apa: Wickert, A.-K., Schlichtig, M., Vogel, M., Winter, L., Mezini, M., & Bodden, E. (2024). Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. bibtex: '@book{Wickert_Schlichtig_Vogel_Winter_Mezini_Bodden_2024, title={Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability}, author={Wickert, Anna-Katharina and Schlichtig, Michael and Vogel, Marvin and Winter, Lukas and Mezini, Mira and Bodden, Eric}, year={2024} }' chicago: Wickert, Anna-Katharina, Michael Schlichtig, Marvin Vogel, Lukas Winter, Mira Mezini, and Eric Bodden. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024. ieee: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, and E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024. mla: Wickert, Anna-Katharina, et al. Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability. 2024. short: A.-K. Wickert, M. Schlichtig, M. Vogel, L. Winter, M. Mezini, E. Bodden, Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability, 2024. date_created: 2024-03-20T09:28:36Z date_updated: 2024-03-20T09:32:29Z department: - _id: '76' keyword: - Static analysis - error chains - false positive re- duction - empirical studies language: - iso: eng main_file_link: - url: https://arxiv.org/abs/2403.07808 status: public title: Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability type: misc user_id: '32312' year: '2024' ... --- _id: '35083' author: - first_name: Andreas Peter full_name: Dann, Andreas Peter id: '26886' last_name: Dann - first_name: Ben full_name: Hermann, Ben id: '66173' last_name: Hermann orcid: 0000-0001-9848-2017 - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Dann AP, Hermann B, Bodden E. UpCy: Safely Updating Outdated Dependencies. Published online 2023.' apa: 'Dann, A. P., Hermann, B., & Bodden, E. (2023). UpCy: Safely Updating Outdated Dependencies.' bibtex: '@article{Dann_Hermann_Bodden_2023, series={International Conference on Software Engineering (ICSE)}, title={UpCy: Safely Updating Outdated Dependencies}, author={Dann, Andreas Peter and Hermann, Ben and Bodden, Eric}, year={2023}, collection={International Conference on Software Engineering (ICSE)} }' chicago: 'Dann, Andreas Peter, Ben Hermann, and Eric Bodden. “UpCy: Safely Updating Outdated Dependencies.” International Conference on Software Engineering (ICSE), 2023.' ieee: 'A. P. Dann, B. Hermann, and E. Bodden, “UpCy: Safely Updating Outdated Dependencies.” 2023.' mla: 'Dann, Andreas Peter, et al. UpCy: Safely Updating Outdated Dependencies. 2023.' short: A.P. Dann, B. Hermann, E. Bodden, (2023). date_created: 2023-01-02T09:26:50Z date_updated: 2023-01-02T09:28:32Z department: - _id: '76' language: - iso: eng series_title: International Conference on Software Engineering (ICSE) status: public title: 'UpCy: Safely Updating Outdated Dependencies' type: conference user_id: '15249' year: '2023' ... --- _id: '41812' author: - first_name: Linghui full_name: Luo, Linghui last_name: Luo - first_name: Goran full_name: Piskachev, Goran id: '41936' last_name: Piskachev orcid: 0000-0003-4424-5838 - first_name: Ranjith full_name: Krishnamurthy, Ranjith id: '78060' last_name: Krishnamurthy orcid: 0000-0002-0906-5463 - first_name: Julian full_name: Dolby, Julian last_name: Dolby - first_name: Martin full_name: Schäf, Martin last_name: Schäf - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Luo L, Piskachev G, Krishnamurthy R, Dolby J, Schäf M, Bodden E. Model Generation For Java Frameworks. In: IEEE International Conference on Software Testing, Verification and Validation (ICST). ; 2023.' apa: Luo, L., Piskachev, G., Krishnamurthy, R., Dolby, J., Schäf, M., & Bodden, E. (2023). Model Generation For Java Frameworks. IEEE International Conference on Software Testing, Verification and Validation (ICST). bibtex: '@inproceedings{Luo_Piskachev_Krishnamurthy_Dolby_Schäf_Bodden_2023, title={Model Generation For Java Frameworks}, booktitle={IEEE International Conference on Software Testing, Verification and Validation (ICST)}, author={Luo, Linghui and Piskachev, Goran and Krishnamurthy, Ranjith and Dolby, Julian and Schäf, Martin and Bodden, Eric}, year={2023} }' chicago: Luo, Linghui, Goran Piskachev, Ranjith Krishnamurthy, Julian Dolby, Martin Schäf, and Eric Bodden. “Model Generation For Java Frameworks.” In IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023. ieee: L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, and E. Bodden, “Model Generation For Java Frameworks,” 2023. mla: Luo, Linghui, et al. “Model Generation For Java Frameworks.” IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023. short: 'L. Luo, G. Piskachev, R. Krishnamurthy, J. Dolby, M. Schäf, E. Bodden, in: IEEE International Conference on Software Testing, Verification and Validation (ICST), 2023.' date_created: 2023-02-06T10:37:23Z date_updated: 2023-02-06T10:42:29Z department: - _id: '76' - _id: '662' language: - iso: eng publication: IEEE International Conference on Software Testing, Verification and Validation (ICST) status: public title: Model Generation For Java Frameworks type: conference user_id: '15249' year: '2023' ... --- _id: '41813' author: - first_name: Ashwin Prasad full_name: Shivarpatna Venkatesh, Ashwin Prasad id: '66637' last_name: Shivarpatna Venkatesh - first_name: Jiawei full_name: Wang, Jiawei last_name: Wang - first_name: Li full_name: Li, Li last_name: Li - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: 'Shivarpatna Venkatesh AP, Wang J, Li L, Bodden E. Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. In: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ; 2023.' apa: Shivarpatna Venkatesh, A. P., Wang, J., Li, L., & Bodden, E. (2023). Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis. IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). bibtex: '@inproceedings{Shivarpatna Venkatesh_Wang_Li_Bodden_2023, title={Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis}, booktitle={IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Shivarpatna Venkatesh, Ashwin Prasad and Wang, Jiawei and Li, Li and Bodden, Eric}, year={2023} }' chicago: Shivarpatna Venkatesh, Ashwin Prasad, Jiawei Wang, Li Li, and Eric Bodden. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” In IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023. ieee: A. P. Shivarpatna Venkatesh, J. Wang, L. Li, and E. Bodden, “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis,” 2023. mla: Shivarpatna Venkatesh, Ashwin Prasad, et al. “Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis.” IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023. short: 'A.P. Shivarpatna Venkatesh, J. Wang, L. Li, E. Bodden, in: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023.' date_created: 2023-02-06T10:44:08Z date_updated: 2023-02-06T10:46:00Z department: - _id: '76' language: - iso: eng publication: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) status: public title: Enhancing Comprehension and Navigation in Jupyter Notebooks with Static Analysis type: conference user_id: '15249' year: '2023' ... --- _id: '45312' author: - first_name: Kadiray full_name: Karakaya, Kadiray last_name: Karakaya - first_name: Eric full_name: Bodden, Eric last_name: Bodden citation: ama: 'Karakaya K, Bodden E. Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis. In: 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE; 2023. doi:10.1109/icst57152.2023.00036' apa: Karakaya, K., & Bodden, E. (2023). Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis. 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). https://doi.org/10.1109/icst57152.2023.00036 bibtex: '@inproceedings{Karakaya_Bodden_2023, title={Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis}, DOI={10.1109/icst57152.2023.00036}, booktitle={2023 IEEE Conference on Software Testing, Verification and Validation (ICST)}, publisher={IEEE}, author={Karakaya, Kadiray and Bodden, Eric}, year={2023} }' chicago: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis.” In 2023 IEEE Conference on Software Testing, Verification and Validation (ICST). IEEE, 2023. https://doi.org/10.1109/icst57152.2023.00036. ieee: 'K. Karakaya and E. Bodden, “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis,” 2023, doi: 10.1109/icst57152.2023.00036.' mla: Karakaya, Kadiray, and Eric Bodden. “Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis.” 2023 IEEE Conference on Software Testing, Verification and Validation (ICST), IEEE, 2023, doi:10.1109/icst57152.2023.00036. short: 'K. Karakaya, E. Bodden, in: 2023 IEEE Conference on Software Testing, Verification and Validation (ICST), IEEE, 2023.' date_created: 2023-05-29T12:09:43Z date_updated: 2023-05-29T12:12:17Z department: - _id: '76' doi: 10.1109/icst57152.2023.00036 publication: 2023 IEEE Conference on Software Testing, Verification and Validation (ICST) publication_status: published publisher: IEEE status: public title: Two Sparsification Strategies for Accelerating Demand-Driven Pointer Analysis type: conference user_id: '70410' year: '2023' ... --- _id: '46816' author: - first_name: Adriano full_name: Torres, Adriano last_name: Torres - first_name: Pedro full_name: Costa, Pedro last_name: Costa - first_name: Luis full_name: Amaral, Luis last_name: Amaral - first_name: Jonata full_name: Pastro, Jonata last_name: Pastro - first_name: Rodrigo full_name: Bonifácio, Rodrigo last_name: Bonifácio - first_name: Marcelo full_name: d'Amorim, Marcelo last_name: d'Amorim - first_name: Owolabi full_name: Legunsen, Owolabi last_name: Legunsen - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Edna full_name: Dias Canedo, Edna last_name: Dias Canedo citation: ama: 'Torres A, Costa P, Amaral L, et al. Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering. 2023;49(10):4510-4525. doi:10.1109/tse.2023.3301660' apa: 'Torres, A., Costa, P., Amaral, L., Pastro, J., Bonifácio, R., d’Amorim, M., Legunsen, O., Bodden, E., & Dias Canedo, E. (2023). Runtime Verification of Crypto APIs: An Empirical Study. IEEE Transactions on Software Engineering, 49(10), 4510–4525. https://doi.org/10.1109/tse.2023.3301660' bibtex: '@article{Torres_Costa_Amaral_Pastro_Bonifácio_d’Amorim_Legunsen_Bodden_Dias Canedo_2023, title={Runtime Verification of Crypto APIs: An Empirical Study}, volume={49}, DOI={10.1109/tse.2023.3301660}, number={10}, journal={IEEE Transactions on Software Engineering}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={Torres, Adriano and Costa, Pedro and Amaral, Luis and Pastro, Jonata and Bonifácio, Rodrigo and d’Amorim, Marcelo and Legunsen, Owolabi and Bodden, Eric and Dias Canedo, Edna}, year={2023}, pages={4510–4525} }' chicago: 'Torres, Adriano, Pedro Costa, Luis Amaral, Jonata Pastro, Rodrigo Bonifácio, Marcelo d’Amorim, Owolabi Legunsen, Eric Bodden, and Edna Dias Canedo. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering 49, no. 10 (2023): 4510–25. https://doi.org/10.1109/tse.2023.3301660.' ieee: 'A. Torres et al., “Runtime Verification of Crypto APIs: An Empirical Study,” IEEE Transactions on Software Engineering, vol. 49, no. 10, pp. 4510–4525, 2023, doi: 10.1109/tse.2023.3301660.' mla: 'Torres, Adriano, et al. “Runtime Verification of Crypto APIs: An Empirical Study.” IEEE Transactions on Software Engineering, vol. 49, no. 10, Institute of Electrical and Electronics Engineers (IEEE), 2023, pp. 4510–25, doi:10.1109/tse.2023.3301660.' short: A. Torres, P. Costa, L. Amaral, J. Pastro, R. Bonifácio, M. d’Amorim, O. Legunsen, E. Bodden, E. Dias Canedo, IEEE Transactions on Software Engineering 49 (2023) 4510–4525. date_created: 2023-09-06T07:42:40Z date_updated: 2023-12-04T11:05:26Z department: - _id: '76' doi: 10.1109/tse.2023.3301660 intvolume: ' 49' issue: '10' keyword: - Software language: - iso: eng page: 4510 - 4525 publication: IEEE Transactions on Software Engineering publication_identifier: issn: - 0098-5589 - 1939-3520 - 2326-3881 publication_status: published publisher: Institute of Electrical and Electronics Engineers (IEEE) status: public title: 'Runtime Verification of Crypto APIs: An Empirical Study' type: journal_article user_id: '15249' volume: 49 year: '2023' ... --- _id: '49439' abstract: - lang: eng text: AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope. article_number: '118' author: - first_name: Goran full_name: Piskachev, Goran id: '41936' last_name: Piskachev orcid: 0000-0003-4424-5838 - first_name: Matthias full_name: Becker, Matthias id: '4870' last_name: Becker orcid: https://orcid.org/0000-0003-2465-9347 - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 citation: ama: Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3 apa: Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3 bibtex: '@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study}, volume={28}, DOI={10.1007/s10664-023-10354-3}, number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden, Eric}, year={2023} }' chicago: Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3. ieee: 'G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study,” Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi: 10.1007/s10664-023-10354-3.' mla: Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC, 2023, doi:10.1007/s10664-023-10354-3. short: G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023). date_created: 2023-12-04T11:14:34Z date_updated: 2023-12-04T11:29:49Z department: - _id: '76' - _id: '662' doi: 10.1007/s10664-023-10354-3 intvolume: ' 28' issue: '5' keyword: - Software language: - iso: eng publication: Empirical Software Engineering publication_identifier: issn: - 1382-3256 - 1573-7616 publication_status: published publisher: Springer Science and Business Media LLC status: public title: Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study type: journal_article user_id: '15249' volume: 28 year: '2023' ... --- _id: '49438' author: - first_name: Stefan full_name: Krüger, Stefan last_name: Krüger - first_name: Michael full_name: Reif, Michael last_name: Reif - first_name: Anna-Katharina full_name: Wickert, Anna-Katharina last_name: Wickert - first_name: Sarah full_name: Nadi, Sarah last_name: Nadi - first_name: Karim full_name: Ali, Karim last_name: Ali - first_name: Eric full_name: Bodden, Eric id: '59256' last_name: Bodden orcid: 0000-0003-3470-3647 - first_name: Yasemin full_name: Acar, Yasemin id: '94636' last_name: Acar - first_name: Mira full_name: Mezini, Mira last_name: Mezini - first_name: Sascha full_name: Fahl, Sascha last_name: Fahl citation: ama: 'Krüger S, Reif M, Wickert A-K, et al. Securing Your Crypto-API Usage Through Tool Support - A Usability Study. In: 2023 IEEE Secure Development Conference (SecDev). IEEE; 2023. doi:10.1109/secdev56634.2023.00015' apa: Krüger, S., Reif, M., Wickert, A.-K., Nadi, S., Ali, K., Bodden, E., Acar, Y., Mezini, M., & Fahl, S. (2023). Securing Your Crypto-API Usage Through Tool Support - A Usability Study. 2023 IEEE Secure Development Conference (SecDev). https://doi.org/10.1109/secdev56634.2023.00015 bibtex: '@inproceedings{Krüger_Reif_Wickert_Nadi_Ali_Bodden_Acar_Mezini_Fahl_2023, title={Securing Your Crypto-API Usage Through Tool Support - A Usability Study}, DOI={10.1109/secdev56634.2023.00015}, booktitle={2023 IEEE Secure Development Conference (SecDev)}, publisher={IEEE}, author={Krüger, Stefan and Reif, Michael and Wickert, Anna-Katharina and Nadi, Sarah and Ali, Karim and Bodden, Eric and Acar, Yasemin and Mezini, Mira and Fahl, Sascha}, year={2023} }' chicago: Krüger, Stefan, Michael Reif, Anna-Katharina Wickert, Sarah Nadi, Karim Ali, Eric Bodden, Yasemin Acar, Mira Mezini, and Sascha Fahl. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” In 2023 IEEE Secure Development Conference (SecDev). IEEE, 2023. https://doi.org/10.1109/secdev56634.2023.00015. ieee: 'S. Krüger et al., “Securing Your Crypto-API Usage Through Tool Support - A Usability Study,” 2023, doi: 10.1109/secdev56634.2023.00015.' mla: Krüger, Stefan, et al. “Securing Your Crypto-API Usage Through Tool Support - A Usability Study.” 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023, doi:10.1109/secdev56634.2023.00015. short: 'S. Krüger, M. Reif, A.-K. Wickert, S. Nadi, K. Ali, E. Bodden, Y. Acar, M. Mezini, S. Fahl, in: 2023 IEEE Secure Development Conference (SecDev), IEEE, 2023.' date_created: 2023-12-04T11:07:08Z date_updated: 2023-12-04T11:14:10Z department: - _id: '76' - _id: '740' doi: 10.1109/secdev56634.2023.00015 language: - iso: eng publication: 2023 IEEE Secure Development Conference (SecDev) publication_status: published publisher: IEEE status: public title: Securing Your Crypto-API Usage Through Tool Support - A Usability Study type: conference user_id: '15249' year: '2023' ...