From Detection to Prevention: Explaining Security-Critical Code to Avoid Vulnerabilities

TL;DR

This paper proposes a proactive approach to security by identifying security-critical code regions and providing prevention-focused explanations using code metrics and language models, aiming to reduce vulnerabilities early in development.

Contribution

It introduces an IntelliJ IDEA plugin that combines code metrics and language models to identify and explain security-critical code for prevention, not just detection.

Findings

Metrics identify most security-critical methods in sample application.

LLM provides actionable, prevention-oriented insights.

Work lays foundation for security-aware code metrics and explanations.

Abstract

Security vulnerabilities often arise unintentionally during development due to a lack of security expertise and code complexity. Traditional tools, such as static and dynamic analysis, detect vulnerabilities only after they are introduced in code, leading to costly remediation. This work explores a proactive strategy to prevent vulnerabilities by highlighting code regions that implement security-critical functionality -- such as data access, authentication, and input handling -- and providing guidance for their secure implementation. We present an IntelliJ IDEA plugin prototype that uses code-level software metrics to identify potentially security-critical methods and large language models (LLMs) to generate prevention-oriented explanations. Our initial evaluation on the Spring-PetClinic application shows that the selected metrics identify most known security-critical methods, while an LLM provides actionable, prevention-focused insights. Although these metrics capture structural properties rather than semantic aspects of security, this work lays the foundation for code-level security-aware metrics and enhanced explanations.