---
_id: '49439'
abstract:
- lang: eng
  text: <jats:title>Abstract</jats:title><jats:p>The use of static analysis security
    testing (SAST) tools has been increasing in recent years. However, previous studies
    have shown that, when shipped to end users such as development or security teams,
    the findings of these tools are often unsatisfying. Users report high numbers
    of false positives or long analysis times, making the tools unusable in the daily
    workflow. To address this, SAST tool creators provide a wide range of configuration
    options, such as customization of rules through domain-specific languages or specification
    of the application-specific analysis scope. In this paper, we study the configuration
    space of selected existing SAST tools when used within the integrated development
    environment (IDE). We focus on the configuration options that impact three dimensions,
    for which a trade-off is unavoidable, i.e., precision, recall, and analysis runtime.
    We perform a between-subjects user study with 40 users from multiple development
    and security teams - to our knowledge, the largest population for this kind of
    user study in the software engineering community. The results show that users
    who configure SAST tools are more effective in resolving security vulnerabilities
    detected by the tools than those using the default configuration. Based on post-study
    interviews, we identify common strategies that users have while configuring the
    SAST tools to provide further insights for tool creators. Finally, an evaluation
    of the configuration options of two commercial SAST tools, <jats:sc>Fortify</jats:sc>
    and <jats:sc>CheckMarx</jats:sc>, reveals that a quarter of the users do not understand
    the configuration options provided. The configuration options that are found most
    useful relate to the analysis scope.</jats:p>
article_number: '118'
author:
- first_name: Goran
  full_name: Piskachev, Goran
  id: '41936'
  last_name: Piskachev
  orcid: 0000-0003-4424-5838
- first_name: Matthias
  full_name: Becker, Matthias
  id: '4870'
  last_name: Becker
  orcid: https://orcid.org/0000-0003-2465-9347
- first_name: Eric
  full_name: Bodden, Eric
  id: '59256'
  last_name: Bodden
  orcid: 0000-0003-3470-3647
citation:
  ama: Piskachev G, Becker M, Bodden E. Can the configuration of static analyses make
    resolving security vulnerabilities more effective? - A user study. <i>Empirical
    Software Engineering</i>. 2023;28(5). doi:<a href="https://doi.org/10.1007/s10664-023-10354-3">10.1007/s10664-023-10354-3</a>
  apa: Piskachev, G., Becker, M., &#38; Bodden, E. (2023). Can the configuration of
    static analyses make resolving security vulnerabilities more effective? - A user
    study. <i>Empirical Software Engineering</i>, <i>28</i>(5), Article 118. <a href="https://doi.org/10.1007/s10664-023-10354-3">https://doi.org/10.1007/s10664-023-10354-3</a>
  bibtex: '@article{Piskachev_Becker_Bodden_2023, title={Can the configuration of
    static analyses make resolving security vulnerabilities more effective? - A user
    study}, volume={28}, DOI={<a href="https://doi.org/10.1007/s10664-023-10354-3">10.1007/s10664-023-10354-3</a>},
    number={5118}, journal={Empirical Software Engineering}, publisher={Springer Science
    and Business Media LLC}, author={Piskachev, Goran and Becker, Matthias and Bodden,
    Eric}, year={2023} }'
  chicago: Piskachev, Goran, Matthias Becker, and Eric Bodden. “Can the Configuration
    of Static Analyses Make Resolving Security Vulnerabilities More Effective? - A
    User Study.” <i>Empirical Software Engineering</i> 28, no. 5 (2023). <a href="https://doi.org/10.1007/s10664-023-10354-3">https://doi.org/10.1007/s10664-023-10354-3</a>.
  ieee: 'G. Piskachev, M. Becker, and E. Bodden, “Can the configuration of static
    analyses make resolving security vulnerabilities more effective? - A user study,”
    <i>Empirical Software Engineering</i>, vol. 28, no. 5, Art. no. 118, 2023, doi:
    <a href="https://doi.org/10.1007/s10664-023-10354-3">10.1007/s10664-023-10354-3</a>.'
  mla: Piskachev, Goran, et al. “Can the Configuration of Static Analyses Make Resolving
    Security Vulnerabilities More Effective? - A User Study.” <i>Empirical Software
    Engineering</i>, vol. 28, no. 5, 118, Springer Science and Business Media LLC,
    2023, doi:<a href="https://doi.org/10.1007/s10664-023-10354-3">10.1007/s10664-023-10354-3</a>.
  short: G. Piskachev, M. Becker, E. Bodden, Empirical Software Engineering 28 (2023).
date_created: 2023-12-04T11:14:34Z
date_updated: 2023-12-04T11:29:49Z
department:
- _id: '76'
- _id: '662'
doi: 10.1007/s10664-023-10354-3
intvolume: '        28'
issue: '5'
keyword:
- Software
language:
- iso: eng
publication: Empirical Software Engineering
publication_identifier:
  issn:
  - 1382-3256
  - 1573-7616
publication_status: published
publisher: Springer Science and Business Media LLC
status: public
title: Can the configuration of static analyses make resolving security vulnerabilities
  more effective? - A user study
type: journal_article
user_id: '15249'
volume: 28
year: '2023'
...
---
_id: '20347'
author:
- first_name: Faruk
  full_name: Pasic, Faruk
  id: '49576'
  last_name: Pasic
- first_name: Benedict
  full_name: Wohlers, Benedict
  id: '53786'
  last_name: Wohlers
- first_name: Stefan
  full_name: Dziwok, Stefan
  id: '3901'
  last_name: Dziwok
  orcid: http://orcid.org/0000-0002-8679-6673
- first_name: Matthias
  full_name: Becker, Matthias
  id: '4870'
  last_name: Becker
  orcid: https://orcid.org/0000-0003-2465-9347
- first_name: Matthias
  full_name: Heinrich, Matthias
  last_name: Heinrich
citation:
  ama: 'Pasic F, Wohlers B, Dziwok S, Becker M, Heinrich M. A KPI-based Condition
    Monitoring System for the Beer Brewing Process. In: <i>2019 24th IEEE International
    Conference on Emerging Technologies and Factory Automation (ETFA)</i>. ; 2019:1469-1472.'
  apa: Pasic, F., Wohlers, B., Dziwok, S., Becker, M., &#38; Heinrich, M. (2019).
    A KPI-based Condition Monitoring System for the Beer Brewing Process. <i>2019
    24th IEEE International Conference on Emerging Technologies and Factory Automation
    (ETFA)</i>, 1469–1472.
  bibtex: '@inproceedings{Pasic_Wohlers_Dziwok_Becker_Heinrich_2019, title={A KPI-based
    Condition Monitoring System for the Beer Brewing Process}, booktitle={2019 24th
    IEEE International Conference on Emerging Technologies and Factory Automation
    (ETFA)}, author={Pasic, Faruk and Wohlers, Benedict and Dziwok, Stefan and Becker,
    Matthias and Heinrich, Matthias}, year={2019}, pages={1469–1472} }'
  chicago: Pasic, Faruk, Benedict Wohlers, Stefan Dziwok, Matthias Becker, and Matthias
    Heinrich. “A KPI-Based Condition Monitoring System for the Beer Brewing Process.”
    In <i>2019 24th IEEE International Conference on Emerging Technologies and Factory
    Automation (ETFA)</i>, 1469–72, 2019.
  ieee: F. Pasic, B. Wohlers, S. Dziwok, M. Becker, and M. Heinrich, “A KPI-based
    Condition Monitoring System for the Beer Brewing Process,” in <i>2019 24th IEEE
    International Conference on Emerging Technologies and Factory Automation (ETFA)</i>,
    2019, pp. 1469–1472.
  mla: Pasic, Faruk, et al. “A KPI-Based Condition Monitoring System for the Beer
    Brewing Process.” <i>2019 24th IEEE International Conference on Emerging Technologies
    and Factory Automation (ETFA)</i>, 2019, pp. 1469–72.
  short: 'F. Pasic, B. Wohlers, S. Dziwok, M. Becker, M. Heinrich, in: 2019 24th IEEE
    International Conference on Emerging Technologies and Factory Automation (ETFA),
    2019, pp. 1469–1472.'
date_created: 2020-11-13T08:34:51Z
date_updated: 2022-01-06T06:54:26Z
department:
- _id: '241'
language:
- iso: eng
page: 1469-1472
publication: 2019 24th IEEE International Conference on Emerging Technologies and
  Factory Automation (ETFA)
status: public
title: A KPI-based Condition Monitoring System for the Beer Brewing Process
type: conference
user_id: '14931'
year: '2019'
...
---
_id: '20761'
abstract:
- lang: eng
  text: 'The processes for manufacturing and operating modern technical products require
    expertise in multiple disciplines like mechanical engineer-ing, electrical engineering,
    and software engineering. Assessing the current condition and quality of these
    processes and the machines in-volved is challenging due to the inherent complexity
    of the products and the required expertise in multiple engineering domains. Globaliza-tion
    and increasing competition make it necessary to reduce production costs while
    at the same time ensuring high throughput and product quality. Without the ability
    to precisely assess the condition and quality of production processes and involved
    machines, taking action to steer these metrics is nearly impossible and results
    in unnecessary high production costs. In our previous publications, we introduced
    the concept of Key Performance Indicators (KPIs) for mechatronic systems as a
    concept to assess the condition and quality of products and production processes
    in a graspable yet substantial and efficient way. In this paper, we further refine
    our KPI concepts und evaluate them for two different use cases: we apply our KPI
    concept to a manufacturing process in the mechatronic system domain and an operation
    process in the food production domain. We provide detailed insights in how we
    applied our concepts within these domains and report about lessons learned. In
    addition, we provide a business case estimation for our soft-ware solution that
    assesses the KPIs of our food production domain example.'
author:
- first_name: Benedict
  full_name: Wohlers, Benedict
  id: '53786'
  last_name: Wohlers
- first_name: Stefan
  full_name: Dziwok, Stefan
  id: '3901'
  last_name: Dziwok
  orcid: http://orcid.org/0000-0002-8679-6673
- first_name: Faruk
  full_name: Pasic, Faruk
  id: '49576'
  last_name: Pasic
- first_name: Andre
  full_name: Lipsmeier, Andre
  last_name: Lipsmeier
- first_name: Matthias
  full_name: Becker, Matthias
  id: '4870'
  last_name: Becker
  orcid: https://orcid.org/0000-0003-2465-9347
citation:
  ama: Wohlers B, Dziwok S, Pasic F, Lipsmeier A, Becker M. Monitoring and Control
    of Production Processes based on Key Performance Indicators for Mechatronic Systems.
    <i>International Journal of Production Economics</i>. 2019.
  apa: Wohlers, B., Dziwok, S., Pasic, F., Lipsmeier, A., &#38; Becker, M. (2019).
    Monitoring and Control of Production Processes based on Key Performance Indicators
    for Mechatronic Systems. <i>International Journal of Production Economics</i>.
  bibtex: '@article{Wohlers_Dziwok_Pasic_Lipsmeier_Becker_2019, title={Monitoring
    and Control of Production Processes based on Key Performance Indicators for Mechatronic
    Systems}, journal={International Journal of Production Economics}, author={Wohlers,
    Benedict and Dziwok, Stefan and Pasic, Faruk and Lipsmeier, Andre and Becker,
    Matthias}, year={2019} }'
  chicago: Wohlers, Benedict, Stefan Dziwok, Faruk Pasic, Andre Lipsmeier, and Matthias
    Becker. “Monitoring and Control of Production Processes Based on Key Performance
    Indicators for Mechatronic Systems.” <i>International Journal of Production Economics</i>,
    2019.
  ieee: B. Wohlers, S. Dziwok, F. Pasic, A. Lipsmeier, and M. Becker, “Monitoring
    and Control of Production Processes based on Key Performance Indicators for Mechatronic
    Systems,” <i>International Journal of Production Economics</i>, 2019.
  mla: Wohlers, Benedict, et al. “Monitoring and Control of Production Processes Based
    on Key Performance Indicators for Mechatronic Systems.” <i>International Journal
    of Production Economics</i>, 2019.
  short: B. Wohlers, S. Dziwok, F. Pasic, A. Lipsmeier, M. Becker, International Journal
    of Production Economics (2019).
date_created: 2020-12-16T14:06:20Z
date_updated: 2022-01-06T06:54:36Z
department:
- _id: '241'
language:
- iso: eng
publication: International Journal of Production Economics
status: public
title: Monitoring and Control of Production Processes based on Key Performance Indicators
  for Mechatronic Systems
type: journal_article
user_id: '3901'
year: '2019'
...