Secure CodeCity: 3-dimensional visualization of software security facets

IF 0.4 4区 综合性期刊 Q4 MULTIDISCIPLINARY SCIENCES
C. Wijesiriwardana, P. Wimalaratne, T. Abeysinghe, S. Shalika, N. Ahmed, M. Mufarrij
{"title":"Secure CodeCity: 3-dimensional visualization of software security facets","authors":"C. Wijesiriwardana, P. Wimalaratne, T. Abeysinghe, S. Shalika, N. Ahmed, M. Mufarrij","doi":"10.4038/jnsfsr.v51i3.11201","DOIUrl":null,"url":null,"abstract":"Over the last few decades, the software industry investigated security best practices to guide software developers in producing less vulnerable software products. As a result, security engineering has emerged as an integral part of the software development lifecycle. With the increase in the number of security vulnerabilities discovered, the software industry encountered challenges finding software security experts. Despite the availability of static code analysis tools to detect security vulnerabilities, they are underused due to several reasons such as inadequate usability and the lack of integration support. For example, such tools are deficient in providing enough information, produce faulty warning messages, and miscommunicate with developers. As a solution, this work presents a conceptual framework and a proof-of-concept visualization tool, Secure CodeCity, as an extension to the CodeCity metaphor, to facilitate security analytics. Secure CodeCity extends the CodeCity metaphor into three different granularity levels in 3-dimensional space, facilitating the vulnerability analysis in different granularities. Thus, software practitioners can use Secure CodeCity to obtain useful security-related information such as \"What is the most vulnerable class/method in a particular software project?\". A between-subjects design-based user study was conducted with 23 subjects using a set of security-related tasks with two benchmark open-source Apache projects. The evaluation results show that Secure CodeCity surpasses the state-of-the-art security analysis tools in terms of correctness, usability, and time efficiency.","PeriodicalId":17429,"journal":{"name":"Journal of the National Science Foundation of Sri Lanka","volume":"41 1","pages":"0"},"PeriodicalIF":0.4000,"publicationDate":"2023-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of the National Science Foundation of Sri Lanka","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4038/jnsfsr.v51i3.11201","RegionNum":4,"RegionCategory":"综合性期刊","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"MULTIDISCIPLINARY SCIENCES","Score":null,"Total":0}
引用次数: 0

Abstract

Over the last few decades, the software industry investigated security best practices to guide software developers in producing less vulnerable software products. As a result, security engineering has emerged as an integral part of the software development lifecycle. With the increase in the number of security vulnerabilities discovered, the software industry encountered challenges finding software security experts. Despite the availability of static code analysis tools to detect security vulnerabilities, they are underused due to several reasons such as inadequate usability and the lack of integration support. For example, such tools are deficient in providing enough information, produce faulty warning messages, and miscommunicate with developers. As a solution, this work presents a conceptual framework and a proof-of-concept visualization tool, Secure CodeCity, as an extension to the CodeCity metaphor, to facilitate security analytics. Secure CodeCity extends the CodeCity metaphor into three different granularity levels in 3-dimensional space, facilitating the vulnerability analysis in different granularities. Thus, software practitioners can use Secure CodeCity to obtain useful security-related information such as "What is the most vulnerable class/method in a particular software project?". A between-subjects design-based user study was conducted with 23 subjects using a set of security-related tasks with two benchmark open-source Apache projects. The evaluation results show that Secure CodeCity surpasses the state-of-the-art security analysis tools in terms of correctness, usability, and time efficiency.
安全代码城:软件安全方面的三维可视化
在过去的几十年里,软件行业研究了安全性最佳实践,以指导软件开发人员生产更不易受攻击的软件产品。因此,安全工程已经成为软件开发生命周期的一个组成部分。随着发现的安全漏洞数量的增加,软件行业遇到了寻找软件安全专家的挑战。尽管有可用的静态代码分析工具来检测安全漏洞,但由于可用性不足和缺乏集成支持等原因,它们没有得到充分利用。例如,这些工具在提供足够的信息方面存在缺陷,产生错误的警告消息,并与开发人员进行错误的沟通。作为解决方案,本工作提出了一个概念性框架和一个概念验证可视化工具,Secure CodeCity,作为CodeCity隐喻的扩展,以促进安全分析。Secure CodeCity将CodeCity隐喻扩展到三维空间的三个不同粒度级别,便于不同粒度的漏洞分析。因此,软件从业者可以使用Secure CodeCity来获得有用的安全相关信息,例如“在特定的软件项目中,什么是最易受攻击的类/方法?”一项基于主体之间设计的用户研究由23个主体进行,使用两个基准开源Apache项目的一组安全相关任务。评估结果表明,Secure CodeCity在正确性、可用性和时间效率方面超过了最先进的安全分析工具。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
CiteScore
0.90
自引率
0.00%
发文量
57
审稿时长
>12 weeks
期刊介绍: The Journal of National Science Foundation of Sri Lanka (JNSF) publishes the results of research in Science and Technology. The journal is released four times a year, in March, June, September and December. This journal contains Research Articles, Reviews, Research Communications and Correspondences. Manuscripts submitted to the journal are accepted on the understanding that they will be reviewed prior to acceptance and that they have not been submitted for publication elsewhere.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信