IEEE S&P 2024 Distinguished Paper Award
Researchers from the Computer Science Department at William & Mary and the University of Central Florida have been recognized with a Distinguished Paper award at the prestigious 45th Symposium on Security and Privacy of the Institute of Electrical and Electronics Engineers (IEEE). The paper, "'False negative - that one is going to kill you': Understanding Industry Perspectives of Static Analysis based Security Testing," provides significant insights into how developers perceive and utilize Static Analysis based Security Testing (SAST) tools.
As automated security analysis techniques become increasingly essential due to the focus on regulations, compliance, and overall system security, the study delves into the perceptions, expectations, and challenges developers face when identifying software system vulnerabilities while relying on SASTs.
"We identified 17 key findings that challenge conventional wisdom in the design and deployment of SAST tools," said Amit Seal Ami, lead author of the paper and PhD Candidate at Computer Science, William & Mary. "Our goal was to bridge the gaps between the decade-old assumptions that continue to influence the design decisions and the practical realities developers face."
Co-authors on the paper are Ami’s co-advisors, Dr. Adwait Nadkarni, Class of 1953 Associate Professor, and Dr. Denys Poshyvanyk, Chancellor Professor at the William & Mary Computer Science department, as well as W&M CS Ph.D. alumnus Dr. Kevin Moran, now an Assistant Professor in CS at the University of Central Florida .
The study highlights the gaps in current SAST practices and emphasizes the necessity of aligning tool capabilities with developer expectations. It found that many software practitioners were frustrated with false negatives—instances where SAST tools fail to detect actual security vulnerabilities, thus leading to security risks.
"Understanding and learning about these challenges experienced by software practitioners is critical for improving the application of SAST tools," said Dr. Nadkarni.
The Distinguished Paper award at the IEEE Symposium on Security and Privacy, a premier security conference, demonstrates the significance of this research in cybersecurity. As security threats evolve, studies such as this are crucial for equipping developers with practical tools to safeguard the global digital infrastructure.