Towards Understanding the Value of False Positives in Static Code Analysis

Authors

Abstract

Static code analysis is a well-known technique used to detect potential software security issues. Nowadays, given the large variety of vulnerabilities and the increasing complexity of web applications, it is difficult for static code analyzers to identify vulnerabilities in a precise manner. The main problem is with the typically high number of false positives reported by these tools, which refer to vulnerabilities that, in practice, do not exist. The common view is that the information regarding false positives is useless. In this paper we give an initial step towards investigating the hypothesis that false positives may be, in fact, a link to potential security problems. We analyzed 3 open-source web applications using a well-known static analyzer, then identified false positives and linked these to potential security problems. Preliminary results suggest that, in many cases, the presence of a false positive indicates a fragility of the application, which is prone, in different degrees, to turn into a real vulnerability.

Conference

Latin-American Symposium on Dependable Computing (LADC 2016) 2016