C. Wijesiriwardana, P. Wimalaratne, T. Abeysinghe, S. Shalika, N. Ahmed, M. Mufarrij
{"title":"Secure CodeCity: 3-dimensional visualization of software security facets","authors":"C. Wijesiriwardana, P. Wimalaratne, T. Abeysinghe, S. Shalika, N. Ahmed, M. Mufarrij","doi":"10.4038/jnsfsr.v51i3.11201","DOIUrl":null,"url":null,"abstract":"Over the last few decades, the software industry investigated security best practices to guide software developers in producing less vulnerable software products. As a result, security engineering has emerged as an integral part of the software development lifecycle. With the increase in the number of security vulnerabilities discovered, the software industry encountered challenges finding software security experts. Despite the availability of static code analysis tools to detect security vulnerabilities, they are underused due to several reasons such as inadequate usability and the lack of integration support. For example, such tools are deficient in providing enough information, produce faulty warning messages, and miscommunicate with developers. As a solution, this work presents a conceptual framework and a proof-of-concept visualization tool, Secure CodeCity, as an extension to the CodeCity metaphor, to facilitate security analytics. Secure CodeCity extends the CodeCity metaphor into three different granularity levels in 3-dimensional space, facilitating the vulnerability analysis in different granularities. Thus, software practitioners can use Secure CodeCity to obtain useful security-related information such as \"What is the most vulnerable class/method in a particular software project?\". A between-subjects design-based user study was conducted with 23 subjects using a set of security-related tasks with two benchmark open-source Apache projects. The evaluation results show that Secure CodeCity surpasses the state-of-the-art security analysis tools in terms of correctness, usability, and time efficiency.","PeriodicalId":17429,"journal":{"name":"Journal of the National Science Foundation of Sri Lanka","volume":"41 1","pages":"0"},"PeriodicalIF":0.4000,"publicationDate":"2023-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of the National Science Foundation of Sri Lanka","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4038/jnsfsr.v51i3.11201","RegionNum":4,"RegionCategory":"综合性期刊","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"MULTIDISCIPLINARY SCIENCES","Score":null,"Total":0}
引用次数: 0
Abstract
Over the last few decades, the software industry investigated security best practices to guide software developers in producing less vulnerable software products. As a result, security engineering has emerged as an integral part of the software development lifecycle. With the increase in the number of security vulnerabilities discovered, the software industry encountered challenges finding software security experts. Despite the availability of static code analysis tools to detect security vulnerabilities, they are underused due to several reasons such as inadequate usability and the lack of integration support. For example, such tools are deficient in providing enough information, produce faulty warning messages, and miscommunicate with developers. As a solution, this work presents a conceptual framework and a proof-of-concept visualization tool, Secure CodeCity, as an extension to the CodeCity metaphor, to facilitate security analytics. Secure CodeCity extends the CodeCity metaphor into three different granularity levels in 3-dimensional space, facilitating the vulnerability analysis in different granularities. Thus, software practitioners can use Secure CodeCity to obtain useful security-related information such as "What is the most vulnerable class/method in a particular software project?". A between-subjects design-based user study was conducted with 23 subjects using a set of security-related tasks with two benchmark open-source Apache projects. The evaluation results show that Secure CodeCity surpasses the state-of-the-art security analysis tools in terms of correctness, usability, and time efficiency.
期刊介绍:
The Journal of National Science Foundation of Sri Lanka (JNSF) publishes the results of research in Science and Technology. The journal is released four times a year, in March, June, September and December. This journal contains Research Articles, Reviews, Research Communications and Correspondences.
Manuscripts submitted to the journal are accepted on the understanding that they will be reviewed prior to acceptance and that they have not been submitted for publication elsewhere.