Abstract

Over the last few decades, the software industry investigated security best practices to guide software developers in producing less vulnerable software products. As a result, security engineering has emerged as an integral part of the software development lifecycle. With the increase in the number of security vulnerabilities discovered, the software industry encountered challenges finding software security experts. Despite the availability of static code analysis tools to detect security vulnerabilities, they are underused due to several reasons such as inadequate usability and the lack of integration support. For example, such tools are deficient in providing enough information, produce faulty warning messages, and miscommunicate with developers. As a solution, this work presents a conceptual framework and a proof-of-concept visualization tool, Secure CodeCity, as an extension to the CodeCity metaphor, to facilitate security analytics. Secure CodeCity extends the CodeCity metaphor into three different granularity levels in 3-dimensional space, facilitating the vulnerability analysis in different granularities. Thus, software practitioners can use Secure CodeCity to obtain useful security-related information such as "What is the most vulnerable class/method in a particular software project?". A between-subjects design-based user study was conducted with 23 subjects using a set of security-related tasks with two benchmark open-source Apache projects. The evaluation results show that Secure CodeCity surpasses the state-of-the-art security analysis tools in terms of correctness, usability, and time efficiency.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.