See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/221548746

Static Code Analysis to Detect Software Security Vulnerabilities - Does

Experience Matter?

Conference Paper · January 2009

DOI: 10.1109/ARES.2009.163 · Source: DBLP

CITATIONS READS

25 1,618

4 authors, including:

Kai Petersen Bengt Carlsson

Blekinge Institute of Technology Blekinge Institute of Technology
86 PUBLICATIONS   3,089 CITATIONS    38 PUBLICATIONS   392 CITATIONS   

SEE PROFILE SEE PROFILE

Lars Lundberg
Blekinge Institute of Technology
195 PUBLICATIONS   1,301 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Understanding Agile Practice Interdepedencies - A Survey View project

EASE Theme E - Decision support for software testing View project

All content following this page was uploaded by Kai Petersen on 19 May 2015.

The user has requested enhancement of the downloaded file.

 Static Code Analysis to Detect Software Security Vulnerabilities -
Does Experience Matter?

Dejan Baca1,2, Kai Petersen1,2, Bengt Carlsson2, Lars Lundberg2

2
School of Engineering, Blekinge Institute of Technology
{dejan.baca | kai.petersen | bengt.carlsson | lars.lundberg}@bth.se

Abstract To achieve this task, one has to identify the defects

Code reviews with static analysis tools are today
recommended by several security development
processes. Developers are expected to use the tools’
output to detect the security threats they themselves
have introduced in the source code. This approach
assumes that all developers can correctly identify a
warning from a static analysis tool (SAT) as a security
threat that needs to be corrected. We have conducted
an industry experiment with a state of the art static
analysis tool and real vulnerabilities. We have found
that average developers do not correctly identify the
security warnings and only developers with specific
experiences are better than chance in detecting the
security vulnerabilities. Specific SAT experience more
than doubled the number of correct answers and a
combination of security experience and SAT
experience almost tripled the number of correct
security answers.
1. Introduction
In recent years software companies have concerned
themselves with security related threats connected to
their products’ source code. This is related to
customers demanding high security in software
products and that software products are used in
networks where software vulnerabilities can be
exploited (e.g., for intrusion) [1]. With these new
threats, software companies have to improve the
security of their products by preventing code
vulnerabilities. In consequence, software companies
now have to develop products with secure code and
verify that legacy code is secure. This is a task that can
slow ongoing development and is very expensive if the
product has a large legacy code base.
that cause source code vulnerabilities. Two main semi-
automated alternatives are possible, namely static and
dynamic detection of faults. The dynamic detection of
faults is done late in the process as it requires the
software system to be complete and executable. If the
system fails, then the location of the cause of the failure
has to be identified. The static analysis does not require
that the system is executable. Instead, it can be run on
incomplete parts of the system (e.g,. just a small part of
the overall code base) and highlights the cause of a
possible failure. This leads to two main benefits: 1)
Faults can be detected early in development and thus
are much less expensive to fix compared to late
detection [3], and 2) the location of a failure does not
have to be identified.
From a security perspective, the system is not able
to determine which of the identified problems are
security vulnerabilities. Instead, this judgment has to be
made by developers who use the output of the static
code analysis tools. In order to select the right people
for the task, one has to know which experience is
necessary to succeed in judging the output of the static
code analysis tool. That is, if certain types of
experience (e.g., knowledge in security, knowledge in a
programming language, and experience with the static
code analysis tool) matter, then they have to be
considered when assigning people to the task.
However, several studies and articles have shown that
the SAT are indeed useful tools with lots of potential
[9][10][11], but all previous studies have been done by
experts assuming that developers using the tool will
have the same results. That is, no empirical evidence is
provided on the impact of experience on the results of
static code analysis usage.
To address this research gap the aim of this study is
to determine the impact of experience on the correct

1
Authors are also affiliated with Ericsson AB, Box 518, SE-37123 Karlskrona, Sweden, [email protected],
[email protected]
identification and classification of faults identified by a
static code analysis tool (SAT). The study has been
conducted as an industry experiment with 34
developers. Furthermore, the perceived confidence in
the answers from a single developer has been asked for
to control whether the answers can be considered as not
random.
We therefore want to answer if SATs are useful for
average developers as a vulnerability detector, if
developers with certain experience get better results
and if the developers can identify when they need aid in
interpreting the SAT.
In section 1 the introduction and research problem is
presented. Section 2 explains the background and
related work In Section 3 our research method is
explained, followed by the results in Section 4. In
Section 5 we discuss the impact and possible reasons of
our result followed by our conclusions in Section 6.
2. Background and Related Work
The first static analysis tools (SAT) were simple
program checkers [6] that were no more sophisticated
than a simple grep or find command. These simple
SATs were soon followed by several commercial tools
that for a variety of coding languages tried to achieve
an automated source code review. These tools capture
the most common faults in a particular coding language
and help the developers to create more stable code. The
tools represent a varying degree of sophistication and
some utilize complicated techniques such as an abstract
interpretation to achieve their goal of better
accomplished automation [7]. A coding fault also
represents a large quantity of software vulnerabilities
where SATs have the capability to detect these faults.
SATs are therefore good security touch points that can
be introduced early in the development process [8].
Experiences from industry show worse than expected
results [12] and, even with a SAT, faults that should
have been detected have slipped through the static
analysis process.
A SAT is used early in development process to
prevent fault slip through [14], i.e. catching the failures
before testing is cheaper than finding them during
testing and then having to correct and retest faults. The
SAT is mostly automated. Thus, it is fast and
inexpensive. Still there is a human factor when
examining if a warning should be corrected; it is
needed because the SATs have false positives [15]. A
warning is considered false if its statement is
considered wrong or if the developer does not believe
it needs correcting. The tool Coverity Prevent has a
20% false positive rate [12]. The same study also
suggests that about 5% of the tool generated warnings
have been security faults that need correction.
3. Research Method
3.1 Variables
Two different types of variables are usually
considered when conducting experiments, namely
independent variables and dependent variables.
The independent variables (or treatments) are what
the researcher is controlling, and the dependent
variables are measured outcomes. In this case, the
variable experience is controlled. As outcome variables
we consider the ratio of different fault types classified
correctly by the developers (see Figure 1).
Figure 1. Independent and dependent variables.
The dependent variables are divided into three
groups depending on the warning type.
• False positive – An incorrectly reported warning.
• True positive – A correctly identified fault.
• Security – A correct warning that can propagate
into one of the four security vulnerabilities that are
explained in section 3.3.
Security and true positives are divided because the
warnings can be interpreted and corrected in different
ways depending on how they are reclassified.
The independent variables examine how
experienced the developers are with: the coding
language, software development, the product, software
security and the SAT. The developers’ answers are
rated in a four grade scale, from guessing to very
confident. The experience data are then used for further
analysis of different groups compared to their ability to
classify a warning.
3.2 Subjects
The software developers where randomly selected
from the list of developers at Ericsson AB, a major
telecom company, from different development sites
(Sweden and India). The developers vary in experience
and have or will use the SAT as part of their daily
work. The study was voluntary and all the developers
had the same briefing prior to the study. In total 34
developers answered the questionnaire. From the total
group, 15 had experience in software security and 14
had used a SAT before the study. The developers were
divided into three groups depending on their general
software engineering experience. To determine the
developers experience we examined how long they
have worked in software development and how long
they have experience of development in the products
programming language. The low experiences group had
10 developers and less then 2 years development
experience. The medium experience group had 14
developers while the high experience group had the
remaining 10 developers. The high experience group
consisted of developers with more then 6 years of
development experience. Specific knowledge groups
consisting of security and SAT experience were also
examined. Specific knowledge was not measured in
time, instead developers answers a simple yes or no
question.
3.3 Instrumentation
The instruments used in the experiment are written
guidelines, forms used by the subjects to record their
results, and the tools and systems used.
Written guidelines: For the experiment, each subject
received one page explaining their task, including
explanations of classification types (false positives, true
positives, and security fault). Security faults are further
explained in the instructions following the definitions
of vulnerabilities [16]. This definition includes the
coding faults that cause a Denial of Service attack,
unauthorized disclosure, unauthorized destruction of
data, and unauthorized modification of data.
Forms: The evaluations form was created from a
random sample of warnings to create eight false
positives, eight true positives and six security warnings.
All developers then classified the same randomly
generated sample. At the time of the investigation the
product had an approximated ratio of 25 true positives
and 8 false positive for every vulnerability, i.e. true
positives are underrepresented and security warnings
are highly overrepresented in the questionnaire due to
the need of sufficient data points. The original
classification was done by developers working on the
product. The random sample was also examined further
on to insure that the original classification was correct.
In some cases the vulnerabilities were also practically
verified for being accurate. The accuracy had been
confirmed as follows: The warnings were taken from a
mature product still under development. The over a
year old source code in use had some known flaws both
detected and undetected by the SAT. The results from
the developers were compared to a correct template,
i.e. a previous study that methodically examined and/or
practically confirmed those warnings when doubt
arose. Also, some warnings were confirmed by trouble
reports from testers and end users. The sample
contained 13 different checkers that looked for a
specific type of fault. These checkers can be grouped
based on the characteristics of the fault they detect. The
following groups of warnings provided in the form are
of security relevance:
• Memory faults (e.g., buffer overflows) lead to
memory corruptions which can be exploited (e.g,.
for code injection) [16].
• Null-pointer exceptions which allow to user-
induced segmentation faults [16].
• Initialization checkers determine if allocated
resources are used before they are properly
initialized causing information leaks or
segmentation faults [16].
• Race conditions allowing to lock or link system
resources (e.g., processor or physical resources)
[16].
Tools and systems used: In this study we had
chosen the SAT Coverity Prevent version 3.1. Coverity
Prevent is one of the state of the art SAT and has been
used in other studies to detect customer reported bugs
and vulnerabilities [13]. This tool was chosen after an
internal study showing that a low false positive rate was
combined with a high rate of reported faults. Because
the tool is automated and has a low false positive rate
(10-20%), industry often uses the SAT as a drop in tool
without any training. A more security focused SAT,
Fortify, was not used in this study due to its higher
false positive rate and other “free-ware” tools were too
simplistic in an industrial setting.
3.4 Operation
The study was conducted in two distinct steps. In
step one the developers received an introduction to the
study, where each developer received exactly the same
information. This included a description of their task
(e.g., explanation of the classification) and they were
informed that they should do the task individually and
should not talk to their peers about it. Furthermore, the
forms have been explained and the written guidelines
were handed out to the subjects. In the second step the
developers conducted the experiment on their own. For
the task one hour was recommended by the
experimenters. After the individual experiment, the
subjects sent back their filled in forms for analysis.

3.5 Threats to Validity
One threat to the generalizability of the results of
the study is the usage of one specific SAT. In order to
mitigate this risk we choose a state of the art tool with a
large industrial acceptance. The largest different
between different tools is not the type of defects
detected, but the number of false positives compared to
false negatives. Because developers examine the output
of the tool, the user friendliness can effect the results.
But all previously examined SAT, open source tools,
Klockworks and Fortify all presented there results in
the same way. All SAT showed the results as warning
text either in a report or directly in the source code.
Because all top tools present the results in the same
way, we can assume that the tools interface would not
effect generalization. Another threat is whether the
results are applicable for the industry or not. As this
experiment entirely includes industrial developers, the
results can be generalized to industry developers in
common. Overall, the external validity of the study thus
can be considered as high.
To mitigate the risk of other factors than experience
influencing the outcome of the study, the study was
voluntary and stressed developers could ignore it. All
developers got the same initial information and used
the same interface to examine and report their finding.
Developers did the study individually and had the same
time frame. Thus, the risk of other factors affecting the
dependent variables is reduced.
3.6 Static analysis tool output examples
SAT often provide output directly in the source
code so that developers can read the warnings and at
the same time see there own code and thereafter judge
if it needs to be corrected. In the examples the numbers
followed by a ‘:’ is actual source code while rows
without starting numbers are warnings from the tool.
Example 1 is a simple off by one buffer overflow that
does not cause any security problems but should be
fixed by the developers.
Example 1. A simple off by one warning.
Event overrun-local: Overrun of static array
"buff" of size 32 at position 32 with index
variable "32"
30: buff[32] = '\0';
But the tool can produce more complex warnings
were the fault only occurs if the program follows a
specific flow. These warnings are harder to understand
and the developers have to read and understand every
warning message. Example 2 has a more complex flow
that if three conditions are met the program would
return with an error but not de-allocate it used memory.
This is made even worse because the operation is
initiated from a user message and the three conditions
are controlled by the user. In this case an outside user
could use this vulnerability to use up all the systems
memory and create an denial of service attack.
Example 2. More complex denial of service attack,
were three conditions have to be met before the
attack is possible.
Event alloc_fn: Called allocation function
"operator new (unsigned int)"
7859: daData = new CcnDdrSet(daTagNo);
At conditional (1):
"StringTokenizer::hasMoreTokens() != 0" taking
true path
7863: if (st.hasMoreTokens())
7864: {
At conditional (2):
"DicosString::compare(const char *) const !=
0" taking true path
7867: if (daAmountString.compare("") != 0)
7868: {
At conditional (3): "daAmount > 1000000"
taking true path
7872: if (daAmount > MAX_DA_AMOUNT)
7873: {
Event leaked_storage: Returned without freeing
storage "daData"
7875: return false;
4. Data Analysis
In this experiment a group of 34 developers have
individually classified 8 (272 in total) false positive, 8
(272 in total) true positives and 6 (204 in total) security
warnings. In figures 2 to 6 the average chance rate is
33% shown in every graph for reference, but notice that
the actual chance rate is 36% for false positives and
true positives and 27% for security warnings due to the
different number of items in each category. We
calculate change based in the number of correct
answers a developer would get if he assumed all
warnings would be true. Figure 2 shows how many
percent of the warnings are correctly classified by the
developers. In section 3.2 the three warning groups are
explained. Only the true positives are identified better
then chance, while both false positive and security
warnings are within the chance rate of 27-36%
(depending on whether the category contains 6 or 8
warnings).
 Figure 2. Correct classifications per warning type.
In figure 3 the first results are divided into groups
depending on how confident the developers are in their
classification of the warnings. In this division four
groups are created, that is: 157 warnings are classified
as very confident, 325 as confident, 175 as not
confident and 97 as guessing.
True positives behave almost as expected, i.g. less
confident answers have fewer correct answers. False
positive on the other hand behaved exactly in the
opposite way. That is, the results are better when they
developers are uncertain in their answers. Security
vulnerabilities vary within the chance range and no
improvement claims can be made with confidence.
Figure 3. Correct answers per confident group.
Because Figure 3 did not show that confidence
improves the identification of security vulnerabilities
we have excluded confidence from further analysis and
all answers, from very confident to guessing, are used.
In figure 4 the results are grouped by the
developers’ general experience. We get three groups
with 10 developers in the low group, 14 in the medium
and 10 in the high experience group. The results do not
vary noteworthy between the three groups. The security
vulnerabilities also stay within the chance range.
Figure 4. Classifications grouped by the developers
general experience.
Figure 5 examines the two most important specific
experiences. Here, 15 developers with security
experience are compared to 19 without. Furthermore,
14 developers with prior knowable in SAT are
compared to the remaining 20 developers with no
knowledge in SAT.
While the security group is better then the non
security group in detecting vulnerabilities the results is
only just better then chance. The group with SAT
experience is the first group with substantial
improvement in identifying the security vulnerabilities
and the non SAT group has a worse security detection
result.
Figure 5. Classifications based on two specific
experience groups.
The best security detection group is created by
combining developers with both security experience
and SAT experience. This group consists of only 7
developers while the remaining are 27 developers. The
security (SEC) & SAT group correctly classified 67%
of the security vulnerabilities which is an improvement
to the SAT only group. Figure 6 shows developers with
both SAT and security experience compared to the
developers with no specific or only one specific
experience.

Figure 6. Correct classifications from developers
with a combined specific experience.
5. Discussion
When software tools are evaluated for industry or
written about in articles the focus is almost always on
the tools’ capacity. Static analysis tools have had
several studies that have shown the tools’ ability to
detect coding faults, failures and even security
vulnerabilities. There are several different tools to
choose from that have different behaviors and
characteristics. Different characteristics might be
preferred depending on where in the company or
development cycle the tool is deployed. If the static
analysis tool is used by a security assurance team the
soundness and capability of the tool might be more
important then it's false positive rate. But if the tool is
intended to be used as an early fault detector on a daily
basis, then the tools actual capacity might, due to
inexperienced developers, be lower than its full
potential.
In Figure 2 we examined the average result of a
developer in classifying warnings. Without creating any
groups regarding experience, or removing any answers
due to unconfident answers, we clearly see that true
positives have been mostly classified in the correct
way.
Dividing the answers based on the developers
confidence in their classification does not show the
expected results. Relative few answers are guessed and
the majority of developers are confident in their
classification. A positive judgment is expected in both,
the security and false positive warnings. Instead the
judged security warnings are randomized and the false
positive result improved the more uncertain the
developers are, i.e. the outcome improves with
increased uncertainty. The difference in results
indicates that developers do not correctly judge how
correct their classification is. We therefore do not
believe that developers can judge when they need
assistance in classifying a SAT warning.
The general development experience did not have
the expected impact on the number of correctly
identified security vulnerabilities or any warnings. It
could be assumed that developers that have spent more
time in development would be better then novice
developers in correctly classifying all types of
warnings. While we see a small improvement from low
to medium experienced developers, this improvement
stagnates within the high experience group. These
results are positive for the SAT as it shows that every
developer within the project can use the tool and get
similar results, how good these results are is another
issue. A cause of the lack of improvement could be that
the output from the tool is so obscure and hard to read
that even more experienced developers have problems
understanding the warnings.
In the specific experience we see the first
improvement in detecting security vulnerabilities. Tool
experience is the single most important factor. Security
experience on the other hand did not improve the result
substantially. But for the best results the developers
should have security and SAT experience. No other
specific experience showed better results, indicating
that educating developers is not the best way to get
better SAT classifications. Instead, they need to get
practical experience from projects combining security
and the use of SAT.
The tools user friendliness comes into question
because tool experience was the most important factor
when classifying warnings. Because all tools use the
same method to present there results it can be
considered an industry accepted standard that every
one follows. More specific studies have to be
conducted to determine if the output can be presented
in a better way and if the classification result can be
improved. But a better solution would be to reduce or
eliminate false positives entirely so that developers
could always assume the tool was correct.
So, depending on whether the tool is used by a
security assurance team or as an early fault detection
tool the outcome may vary. For a security assurance
team a sound tool with higher false positive rate and a
minimum of un-reported warnings is acceptable and
even preferable. An early fault detection tool is used
daily during implementation and therefore a low false
positive rate with a slightly increased rate of un-
reported warnings may be preferred. Combined with
our results the importance of a low false positive rate in
the SAT is further strengthened.
6. Conclusion
Overall, all developers in the experiment are good at
identifying true positives while false positive and
 security vulnerabilities are much harder to correctly
classify. Neither false positive nor security
vulnerabilities are identified better then chance. Also,
developers are bad at judging how correct their own
classifications are.
We see no improvement in the classification with
increased development experience or any individual
experiences that help the developers in detecting the
false positives. For security vulnerabilities, a
combination of security experience and SAT
experience leads to the best results where using the tool
seems more important than having general experience
in security. The combination of SAT and security
experience almost triple the number of correct security
answers. But just deploying a SAT to all developers
will not initially have any better than random
classifications of security vulnerabilities. With time, as
the developers’ understanding of the tool increases, the
better their security results will be (more than doubling
the number of correct answers).
Another observation of this study is that developers
trust the tool and often assume that the tool is correct in
its detection. At the same time no experience improved
the false positive rate and the developers could not
determine how good they have classified the warnings.
These observations show that for a SAT to be an
effective early fault or vulnerability detector its false
positive rate has to be very low, which is an important
factor in the tools’ usefulness.
7. References
[1] M.T. Hunter, R.J. Clark, and F.S. Park, “Security issues
with the IP multimedia subsystem (IMS),” Proceedings of
the 2007 Workshop on Middleware for next-generation
converged networks and applications, Port Beach,
California: ACM, 2007, pp. 1-6;
[2] M. Daran and P. Thévenod-Fosse, “Software error
analysis: a real case study involving real faults and
mutations,” SIGSOFT Softw. Eng. Notes, vol. 21, 1996, pp.
158-171.
[3] B.W. Boehm, “Software engineering economics,”
Software pioneers: contributions to software engineering,
Springer-Verlag New York, Inc., 2002, pp. 641-686;
View publication stats
[4] B. De Win et al., “On the secure software development
process: CLASP, SDL and Touchpoints compared,”
Information and Software Technology, vol. In Press,
Corrected Proof;
[5] B. Boehm and V. Basili, “Top 10 list [software
development],” Computer, vol. 34, 2001, pp. 135-137.
[6] J. Viega et al., “ITS4: a static vulnerability scanner for C
and C++ code,” Computer Security Applications, 2000.
ACSAC '00. 16th Annual Conference, 2000, pp. 257-267.
[7] S. Hallem, D. Park, and D. Engler, “Uprooting Software
Defects at the Source,” Queue, vol. 1, 2003, pp. 64-71.
[8] N. Mead and G. McGraw, “A Portal for Software
Security,” Security & Privacy, IEEE, vol. 3, 2005, pp. 75-
79.
[9] B. Chess and G. McGraw, “Static analysis for security,”
Security & Privacy, IEEE, vol. 2, 2004, pp. 76-79.
[10] N. Ayewah et al., “Using Static Analysis to Find Bugs,”
Software, IEEE, vol. 25, 2008, pp. 22-29.
[11] M. Zitser, R. Lippmann, and T. Leek, “Testing static
analysis tools using exploitable buffer overflows from open
source code,” SIGSOFT Softw. Eng. Notes, vol. 29, 2004,
pp. 97-106.
[12] D. Baca, B. Carlsson, and L. Lundberg, “Evaluating the
cost reduction of static code analysis for software security,”
Proceedings of the third ACM SIGPLAN workshop on
Programming languages and analysis for security, Tucson,
AZ, USA: ACM, 2008, pp. 79-88;
http://portal.acm.org.miman.bib.bth.se/citation.cfm?id=1375
696.1375707.
[13] P. Emanuelsson and U. Nilsson, “A Comparative Study
of Industrial Static Analysis Tools,” Electronic Notes in
Theoretical Computer Science, vol. 217, Jul. 2008, pp. 5-21.
[14] L. Damm, L. Lundberg, and C. Wohlin, “Faults-slip-
through - a concept for measuring the efficiency of the test
process,” Software Process: Improvement and Practice, vol.
11, 2006, pp. 47-59.
[15] J. Zheng et al., “On the value of static analysis for fault
detection in software,” Software Engineering, IEEE
Transactions on, vol. 32, 2006, pp. 240-253.
[16] I.V. Krsul, “Software vulnerability analysis,” Ph.D.
Dissertation, Computer Sciences Department, Purdue
University, Lafayette, IN, May, 1998.