Back To Schedule
Thursday, December 16 • 1:40pm - 2:10pm
Commonality and Trends in SAST Results

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The scale and complexity of mass production software has made manual testing for security related vulnerabilities effectively impossible. Automated security testing tools are required to rapidly assess the security issues in software.  In our study, we ran ten popular SAST tools against 8 large (7.7 MLOC total) mature open source projects. The tools found 685K total defects. Less than 1% of the defects were common between two or more tools. To determine commonality, the defect results were normalized based upon the consistent and accurate application of MITRE defect definitions. It was found that 61% of defect rules were either mis-characterized or mis-aligned. Using mathematical analysis of code properties that causes false positives by defect rules, it was also found that 61% of  Java and JavaScript defects had high validity confidence, whereas only 21% of C/C++ findings were high confidence.  Detailed analysis of attack patterns showed that only 5.5% of the found defects were easy to exploit. By using a novel probabilistic approach to determine severity of consequence, it was discovered that only 6.5% of the defects were highly severe.

avatar for Chris Near

Chris Near

Chief Technical Officer and Founder, Spectare Systems, Inc.
Dr. Chris Near has pursued research and development in the mathematical analysis of software for over 3 decades. He is the inventor of the set of capabilities that are the foundation of CyberSagacity Ltd. He is also the inventor, architect, and designer of SATriage, the company's... Read More →

Thursday December 16, 2021 1:40pm - 2:10pm EST

Attendees (6)