SecCityVR: Visualization and Collaborative Exploration of Software Vulnerabilities in Virtual Reality
Dennis Wüppelman, Enes Yigitbas
TL;DR
SecCityVR introduces a VR code-city visualization to address the shortcomings of traditional SAST dashboards by situating vulnerabilities within the codebase and enabling collaborative exploration. Built on Unity for the Meta Quest, it combines two static analyses (SAST results and call-graph metadata) to render a treemap-based city where buildings and floors encode software vulnerabilities and their interconnections. A user study shows that SecCityVR offers favorable usability and reduced cognitive load and frustration compared with a tabular dashboard, though task completion times are longer, highlighting a trade-off between engagement and efficiency. The work demonstrates VR's potential for collaborative secure software engineering and security audits, with clear avenues for integration into CI/CD pipelines and IDEs, and suggests future enhancements in navigation, avatars, and broader language support.
Abstract
Security vulnerabilities in software systems represent significant risks as potential entry points for malicious attacks. Traditional dashboards that display the results of static analysis security testing often use 2D or 3D visualizations, which tend to lack the spatial details required to effectively reveal issues such as the propagation of vulnerabilities across the codebase or the appearance of concurrent vulnerabilities. Additionally, most reporting solutions only treat the analysis results as an artifact that can be reviewed or edited asynchronously by developers, limiting real-time, collaborative exploration. To the best of our knowledge, no VR-based approach exists for the visualization and interactive exploration of software security vulnerabilities. Addressing these challenges, the virtual reality (VR) environment SecCityVR was developed as a proof-of-concept implementation that employs the code city metaphor within VR to visualize software security vulnerabilities as colored building floors inside the surrounding virtual city. By integrating the application's call graph, vulnerabilities are contextualized within related software components. SecCityVR supports multi-user collaboration and interactive exploration. It provides explanations and mitigations for detected issues. A user study comparing SecCityVR with the traditional dashboard find-sec-bugs showed the VR approach provided a favorable experience, with higher usability, lower temporal demand, and significantly lower frustration despite having longer task completion times. This paper and its results contribute to the fields of collaborative and secure software engineering, as well as software visualization. It provides a new application of VR code cities to visualize security vulnerabilities, as well as a novel environment for security audits using collaborative and immersive technologies.