Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Many Tools, Few Exploitable Vulnerabilities: A Survey of 246 Static Code Analyzers for Security

Kevin Hermann, Sven Peldszus, Thorsten Berger

TL;DR

It is observed that most analyzers focus on a limited set of weaknesses, that the vulnerabilities they detect are rarely exploitable, and that evaluations use custom benchmarks that are too small to enable robust assessment.

Abstract

Static security analysis is a widely used technique for detecting software vulnerabilities across a wide range of weaknesses, application domains, and programming languages. While prior work surveyed static analyzes for specific weaknesses or application domains, no overview of the entire security landscape exists. We present a systematic literature review of 246 static security analyzers concerning their targeted vulnerabilities, application domains, analysis techniques, evaluation methods, and limitations. We observe that most analyzers focus on a limited set of weaknesses, that the vulnerabilities they detect are rarely exploitable, and that evaluations use custom benchmarks that are too small to enable robust assessment.

Many Tools, Few Exploitable Vulnerabilities: A Survey of 246 Static Code Analyzers for Security

TL;DR

It is observed that most analyzers focus on a limited set of weaknesses, that the vulnerabilities they detect are rarely exploitable, and that evaluations use custom benchmarks that are too small to enable robust assessment.

Abstract

Static security analysis is a widely used technique for detecting software vulnerabilities across a wide range of weaknesses, application domains, and programming languages. While prior work surveyed static analyzes for specific weaknesses or application domains, no overview of the entire security landscape exists. We present a systematic literature review of 246 static security analyzers concerning their targeted vulnerabilities, application domains, analysis techniques, evaluation methods, and limitations. We observe that most analyzers focus on a limited set of weaknesses, that the vulnerabilities they detect are rarely exploitable, and that evaluations use custom benchmarks that are too small to enable robust assessment.
Paper Structure (37 sections, 16 figures, 2 tables)

This paper contains 37 sections, 16 figures, 2 tables.

Table of Contents

  1. Background and Related Work
  2. Application Security and Vulnerabilities
  3. Vulnerability Detection Techniques
  4. Static Security Analysis
  5. Related Work
  6. Methodology
  7. Static Analyzer Selection and Data Extraction
  8. Threats to Validity
  9. Static Security Analyzers and their Application Context (RQ1)
  10. Programming Languages
  11. Application Domains
  12. Further Objectives
  13. Weaknesses Detected by Static Security Analyzers (RQ2)
  14. Comprehensive Categorization of Weaknesses
  15. Low-level Weaknesses
  16. ...and 22 more sections

Figures (16)

  • Figure 1: Programming languages and application domains targeted by static security analyzers
  • Figure 2: Further objectives of static security analyzers
  • Figure 3: Weaknesses scanned by static security analyzers organized by top-level CWE comprehensive categories
  • Figure 4: Weaknesses scanned by static security analyzers
  • Figure 5: Security features related to static security analyzers
  • ...and 11 more figures