[{"publisher":"Springer Science and Business Media LLC","date_updated":"2023-12-04T11:29:49Z","volume":28,"date_created":"2023-12-04T11:14:34Z","author":[{"orcid":"0000-0003-4424-5838","last_name":"Piskachev","full_name":"Piskachev, Goran","id":"41936","first_name":"Goran"},{"last_name":"Becker","orcid":"https://orcid.org/0000-0003-2465-9347","id":"4870","full_name":"Becker, Matthias","first_name":"Matthias"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden"}],"title":"Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study","doi":"10.1007/s10664-023-10354-3","publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published","issue":"5","year":"2023","intvolume":" 28","citation":{"bibtex":"@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study}, volume={28}, DOI={10.1007/s10664-023-10354-3}, number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden, Eric}, year={2023} }","short":"G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).","mla":"Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering, vol. 28, no. 5, 118, Springer Science and Business Media LLC, 2023, doi:10.1007/s10664-023-10354-3.","apa":"Piskachev, G., Becker, M., & Bodden, E. (2023). Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering, 28(5), Article 118. https://doi.org/10.1007/s10664-023-10354-3","ama":"Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study. Empirical Software Engineering. 2023;28(5). doi:10.1007/s10664-023-10354-3","chicago":"Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A User Study.” Empirical Software Engineering 28, no. 5 (2023). https://doi.org/10.1007/s10664-023-10354-3.","ieee":"G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study,” Empirical Software Engineering, vol. 28, no. 5, Art. no. 118, 2023, doi: 10.1007/s10664-023-10354-3."},"_id":"49439","department":[{"_id":"76"},{"_id":"662"}],"user_id":"15249","keyword":["Software"],"article_number":"118","language":[{"iso":"eng"}],"publication":"Empirical Software Engineering","type":"journal_article","abstract":[{"lang":"eng","text":"AbstractThe use of static analysis security testing (SAST) tools has been increasing in recent years. However, previous studies have shown that, when shipped to end users such as development or security teams, the findings of these tools are often unsatisfying. Users report high numbers of false positives or long analysis times, making the tools unusable in the daily workflow. To address this, SAST tool creators provide a wide range of configuration options, such as customization of rules through domain-specific languages or specification of the application-specific analysis scope. In this paper, we study the configuration space of selected existing SAST tools when used within the integrated development environment (IDE). We focus on the configuration options that impact three dimensions, for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime. We perform a between-subjects user study with 40 users from multiple development and security teams - to our knowledge, the largest population for this kind of user study in the software engineering community. The results show that users who configure SAST tools are more effective in resolving security vulnerabilities detected by the tools than those using the default configuration. Based on post-study interviews, we identify common strategies that users have while configuring the SAST tools to provide further insights for tool creators. Finally, an evaluation of the configuration options of two commercial SAST tools, Fortify and CheckMarx, reveals that a quarter of the users do not understand the configuration options provided. The configuration options that are found most useful relate to the analysis scope."}],"status":"public"},{"title":"TaintBench: Automatic real-world malware benchmarking of Android taint analyses","doi":"10.1007/s10664-021-10013-5","main_file_link":[{"url":"https://link.springer.com/content/pdf/10.1007/s10664-021-10013-5.pdf","open_access":"1"}],"oa":"1","date_updated":"2022-01-06T06:57:32Z","author":[{"full_name":"Luo, Linghui","last_name":"Luo","first_name":"Linghui"},{"last_name":"Pauck","full_name":"Pauck, Felix","id":"22398","first_name":"Felix"},{"id":"41936","full_name":"Piskachev, Goran","orcid":"0000-0003-4424-5838","last_name":"Piskachev","first_name":"Goran"},{"full_name":"Benz, Manuel","last_name":"Benz","first_name":"Manuel"},{"last_name":"Pashchenko","full_name":"Pashchenko, Ivan","first_name":"Ivan"},{"first_name":"Martin","orcid":"0000-0001-5609-0031","last_name":"Mory","id":"65667","full_name":"Mory, Martin"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden"},{"id":"66173","full_name":"Hermann, Ben","orcid":"0000-0001-9848-2017","last_name":"Hermann","first_name":"Ben"},{"first_name":"Fabio","last_name":"Massacci","full_name":"Massacci, Fabio"}],"date_created":"2021-11-02T05:13:49Z","year":"2021","citation":{"ama":"Luo L, Pauck F, Piskachev G, et al. TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. Published online 2021. doi:10.1007/s10664-021-10013-5","ieee":"L. Luo et al., “TaintBench: Automatic real-world malware benchmarking of Android taint analyses,” Empirical Software Engineering, 2021, doi: 10.1007/s10664-021-10013-5.","chicago":"Luo, Linghui, Felix Pauck, Goran Piskachev, Manuel Benz, Ivan Pashchenko, Martin Mory, Eric Bodden, Ben Hermann, and Fabio Massacci. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021. https://doi.org/10.1007/s10664-021-10013-5.","apa":"Luo, L., Pauck, F., Piskachev, G., Benz, M., Pashchenko, I., Mory, M., Bodden, E., Hermann, B., & Massacci, F. (2021). TaintBench: Automatic real-world malware benchmarking of Android taint analyses. Empirical Software Engineering. https://doi.org/10.1007/s10664-021-10013-5","bibtex":"@article{Luo_Pauck_Piskachev_Benz_Pashchenko_Mory_Bodden_Hermann_Massacci_2021, title={TaintBench: Automatic real-world malware benchmarking of Android taint analyses}, DOI={10.1007/s10664-021-10013-5}, journal={Empirical Software Engineering}, author={Luo, Linghui and Pauck, Felix and Piskachev, Goran and Benz, Manuel and Pashchenko, Ivan and Mory, Martin and Bodden, Eric and Hermann, Ben and Massacci, Fabio}, year={2021} }","mla":"Luo, Linghui, et al. “TaintBench: Automatic Real-World Malware Benchmarking of Android Taint Analyses.” Empirical Software Engineering, 2021, doi:10.1007/s10664-021-10013-5.","short":"L. Luo, F. Pauck, G. Piskachev, M. Benz, I. Pashchenko, M. Mory, E. Bodden, B. Hermann, F. Massacci, Empirical Software Engineering (2021)."},"publication_identifier":{"issn":["1382-3256","1573-7616"]},"publication_status":"published","ddc":["000"],"language":[{"iso":"eng"}],"_id":"27045","project":[{"_id":"1","name":"SFB 901"},{"_id":"3","name":"SFB 901 - Project Area B"},{"_id":"12","name":"SFB 901 - Subproject B4"}],"department":[{"_id":"77"},{"_id":"76"}],"user_id":"15249","abstract":[{"text":"Due to the lack of established real-world benchmark suites for static taint analyses of Android applications, evaluations of these analyses are often restricted and hard to compare. Even in evaluations that do use real-world apps, details about the ground truth in those apps are rarely documented, which makes it difficult to compare and reproduce the results. To push Android taint analysis research forward, this paper thus recommends criteria for constructing real-world benchmark suites for this specific domain, and presents TaintBench, the first real-world malware benchmark suite with documented taint flows. TaintBench benchmark apps include taint flows with complex structures, and addresses static challenges that are commonly agreed on by the community. Together with the TaintBench suite, we introduce the TaintBench framework, whose goal is to simplify real-world benchmarking of Android taint analyses. First, a usability test shows that the framework improves experts’ performance and perceived usability when documenting and inspecting taint flows. Second, experiments using TaintBench reveal new insights for the taint analysis tools Amandroid and FlowDroid: (i) They are less effective on real-world malware apps than on synthetic benchmark apps. (ii) Predefined lists of sources and sinks heavily impact the tools’ accuracy. (iii) Surprisingly, up-to-date versions of both tools are less accurate than their predecessors.","lang":"eng"}],"status":"public","publication":"Empirical Software Engineering","type":"journal_article"}]