An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing
Roland Croft, Dominic Newlands, Ziyu Chen, M. Ali Babar
TL;DR
This empirical study compares rule-based SAST tools and learning-based SVP models, finding that SVP models generally outperform SAST tools in detecting and assessing security vulnerabilities, but combining them offers limited synergy.
Contribution
The paper provides the first comprehensive empirical comparison of SAST tools and SVP models, highlighting their relative strengths and challenges in source code security analysis.
Findings
SVP models outperform SAST tools in detection accuracy.
Both approaches have similar detection capabilities.
Limited synergy when combining SAST and SVP methods.
Abstract
Background: Static Application Security Testing (SAST) tools purport to assist developers in detecting security issues in source code. These tools typically use rule-based approaches to scan source code for security vulnerabilities. However, due to the significant shortcomings of these tools (i.e., high false positive rates), learning-based approaches for Software Vulnerability Prediction (SVP) are becoming a popular approach. Aims: Despite the similar objectives of these two approaches, their comparative value is unexplored. We provide an empirical analysis of SAST tools and SVP models, to identify their relative capabilities for source code security analysis. Method: We evaluate the detection and assessment performance of several common SAST tools and SVP models on a variety of vulnerability datasets. We further assess the viability and potential benefits of combining the two…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.