VIVID: A Novel Approach to Remediation Prioritization in Static Application Security Testing (SAST)
Naeem Budhwani, Mohammad Faghani, Hayden Richard
TL;DR
VIVID introduces vulnerability data flow graphs (VDFs) derived from SAST outputs and analyzes them as directed graphs $G=(V,E)$ to prioritize remediation. By evaluating nine graph-theoretic metrics—including Betweenness Centrality, Out-/In-Eigenvector Centrality, Modularity, Substructure Entropy, Cross-Clique Connectivity, In-/Out-Degree, and PageRank—on VDFs from WebGoat and VeraDemo, the approach identifies high-impact files that propagate tainted data. Key findings show that cross-clique connectivity and eigenvector-based measures effectively flag critical remediation targets, while PageRank alone may miss key nodes. The practical impact is an evidence-based, automatable prioritization pipeline that can guide security controls into a small, strategically chosen set of files, potentially reducing remediation effort while curtailing vulnerability spread. Future work includes weighting by vulnerability severity, combining metrics into a unified prioritization index, and increasing granularity to function-level nodes and enhanced visualization.
Abstract
Static Application Security Testing (SAST) enables organizations to detect vulnerabilities in code early; however, major SAST platforms do not include visual aids and present little insight on correlations between tainted data chains. We propose VIVID - Vulnerability Information Via Data flow - a novel method to extract and consume SAST insights, which is to graph the application's vulnerability data flows (VDFs) and carry out graph theory analysis on the resulting VDF directed graph. Nine metrics were assessed to evaluate their effectiveness in analyzing the VDF graphs of deliberately insecure web applications. These metrics include 3 centrality metrics, 2 structural metrics, PageRank, in-degree, out-degree, and cross-clique connectivity. We present simulations that find that out-degree, betweenness centrality, in-eigenvector centrality, and cross-clique connectivity were found to be associated with files exhibiting high vulnerability traffic, making them refactoring candidates where input sanitization may have been missed. Meanwhile, out-eigenvector centrality, PageRank, and in-degree were found to be associated with nodes enabling vulnerability flow and sinks, but not necessarily where input validation should be placed. This is a novel method to automatically provide development teams an evidence-based prioritized list of files to embed security controls into, informed by vulnerability propagation patterns in the application architecture.