Unintentional Security Flaws in Code: Automated Defense via Root Cause Analysis

TL;DR

This paper evaluates existing security tools' effectiveness for junior developers, identifies their limitations in root cause localization, and introduces T5-RCGCN, an automated toolkit that significantly improves vulnerability fixing and developer understanding.

Contribution

The paper presents T5-RCGCN, a novel automated root cause analysis toolkit combining language models and graph networks, enhancing vulnerability localization and developer comprehension.

Findings

Current tools only secure 36.2% of vulnerable code.

Developers struggle to identify root causes of vulnerabilities.

T5-RCGCN improves security by 28.9% and developer understanding by 17.0%.

Abstract

Software security remains a critical concern, particularly as junior developers, often lacking comprehensive knowledge of security practices, contribute to codebases. While there are tools to help developers proactively write secure code, their actual effectiveness in helping developers fix their vulnerable code remains largely unmeasured. Moreover, these approaches typically focus on classifying and localizing vulnerabilities without highlighting the specific code segments that are the root cause of the issues, a crucial aspect for developers seeking to fix their vulnerable code. To address these challenges, we conducted a comprehensive study evaluating the efficacy of existing methods in helping junior developers secure their code. Our findings across five types of security vulnerabilities revealed that current tools enabled developers to secure only 36.2\% of vulnerable code. Questionnaire results from these participants further indicated that not knowing the code that was the root cause of the vulnerability was one of their primary challenges in repairing the vulnerable code. Informed by these insights, we developed an automated vulnerability root cause (RC) toolkit called T5-RCGCN, that combines T5 language model embeddings with a graph convolutional network (GCN) for vulnerability classification and localization. Additionally, we integrated DeepLiftSHAP to identify the code segments that were the root cause of the vulnerability. We tested T5-RCGCN with 56 junior developers across three datasets, showing a 28.9\% improvement in code security compared to previous methods. Developers using the tool also gained a deeper understanding of vulnerability root causes, resulting in a 17.0\% improvement in their ability to secure code independently. These results demonstrate the tool's potential for both immediate security enhancement and long-term developer skill growth.