Table of Contents
Fetching ...

From Detection to Prevention: Explaining Security-Critical Code to Avoid Vulnerabilities

Ranjith Krishnamurthy, Oshando Johnson, Goran Piskachev, Eric Bodden

TL;DR

Security vulnerabilities often arise from everyday coding mistakes, and traditional SAST/DAST tools only detect issues after they are introduced. This paper proposes a prevention-first approach implemented as an IntelliJ IDEA plugin that identifies security-critical methods using lightweight code-level metrics (cyclomatic complexity, lines of code, and lack of cohesion of methods) and generates prevention-oriented explanations with LLMs. The evaluation on the Spring-PetClinic application shows the metrics can flag many known vulnerable methods and that LLMs can provide actionable guidance, albeit with limitations in semantic security understanding and potential latency, with cross-language experiments in Kotlin suggesting broader applicability. The work lays groundwork for security-aware, code-level metrics and trustworthy, in-editor explanations, paving the way for tighter integration of human and AI-assisted secure coding.

Abstract

Security vulnerabilities often arise unintentionally during development due to a lack of security expertise and code complexity. Traditional tools, such as static and dynamic analysis, detect vulnerabilities only after they are introduced in code, leading to costly remediation. This work explores a proactive strategy to prevent vulnerabilities by highlighting code regions that implement security-critical functionality -- such as data access, authentication, and input handling -- and providing guidance for their secure implementation. We present an IntelliJ IDEA plugin prototype that uses code-level software metrics to identify potentially security-critical methods and large language models (LLMs) to generate prevention-oriented explanations. Our initial evaluation on the Spring-PetClinic application shows that the selected metrics identify most known security-critical methods, while an LLM provides actionable, prevention-focused insights. Although these metrics capture structural properties rather than semantic aspects of security, this work lays the foundation for code-level security-aware metrics and enhanced explanations.

From Detection to Prevention: Explaining Security-Critical Code to Avoid Vulnerabilities

TL;DR

Security vulnerabilities often arise from everyday coding mistakes, and traditional SAST/DAST tools only detect issues after they are introduced. This paper proposes a prevention-first approach implemented as an IntelliJ IDEA plugin that identifies security-critical methods using lightweight code-level metrics (cyclomatic complexity, lines of code, and lack of cohesion of methods) and generates prevention-oriented explanations with LLMs. The evaluation on the Spring-PetClinic application shows the metrics can flag many known vulnerable methods and that LLMs can provide actionable guidance, albeit with limitations in semantic security understanding and potential latency, with cross-language experiments in Kotlin suggesting broader applicability. The work lays groundwork for security-aware, code-level metrics and trustworthy, in-editor explanations, paving the way for tighter integration of human and AI-assisted secure coding.

Abstract

Security vulnerabilities often arise unintentionally during development due to a lack of security expertise and code complexity. Traditional tools, such as static and dynamic analysis, detect vulnerabilities only after they are introduced in code, leading to costly remediation. This work explores a proactive strategy to prevent vulnerabilities by highlighting code regions that implement security-critical functionality -- such as data access, authentication, and input handling -- and providing guidance for their secure implementation. We present an IntelliJ IDEA plugin prototype that uses code-level software metrics to identify potentially security-critical methods and large language models (LLMs) to generate prevention-oriented explanations. Our initial evaluation on the Spring-PetClinic application shows that the selected metrics identify most known security-critical methods, while an LLM provides actionable, prevention-focused insights. Although these metrics capture structural properties rather than semantic aspects of security, this work lays the foundation for code-level security-aware metrics and enhanced explanations.
Paper Structure (11 sections, 2 figures, 1 table)

This paper contains 11 sections, 2 figures, 1 table.

Figures (2)

  • Figure 1: Proposed approach for assessing and explaining security-critical methods.
  • Figure 2: Screenshot of the IntelliJ plugin showing icons and annotations for security-critical methods (), security-criticality explanations (), and precautionary steps () using GPT-5 to prevent introducing vulnerabilities.