Input Splitting for Cloud-Based Static Application Security Testing Platforms
As software development teams adopt DevSecOps practices, application security is increasingly the responsibility of development teams, who are required to set up their own Static Application Security Testing (SAST) infrastructure.
Since development teams often do not have the necessary infrastructure and expertise to set up a custom SAST solution, there is an increased need for cloud-based SAST \emph{platforms} that operate as a service and run a variety of static analyzers.
Adding a new static analyzer to a cloud-based SAST platform can be challenging because static analyzers greatly vary in complexity, from linters that scale efficiently to interprocedural dataflow engines that use cubic or even more complex algorithms. Careful manual evaluation is needed to decide whether a new analyzer would slow down the overall response time of the platform or may timeout too often.
We explore the question of whether this can be simplified by splitting the input to the analyzer into partitions and analyzing the partitions independently. Depending on the complexity of the static analyzer, the partition size can be adjusted to curtail the overall response time. We report on an experiment where we run different analysis tools with and without splitting the inputs. The experimental results show that simple splitting strategies can effectively reduce the running time and memory usage per partition without significantly affecting the findings produced by the tool.
Mon 14 NovDisplayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change
16:00 - 17:30 | Program Analysis IResearch Papers / Industry Paper at SRC LT 50 Chair(s): Marcel Böhme MPI-SP, Germany and Monash University, Australia | ||
16:00 15mTalk | Input Splitting for Cloud-Based Static Application Security Testing Platforms Industry Paper Maria Christakis MPI-SWS, Thomas Cottenier Amazon Web Services, Antonio Filieri AWS and Imperial College London, Linghui Luo Amazon Web Services, Muhammad Numair Mansur MPI-SWS, Lee Pike Amazon Web Services, Nico Rosner Amazon Web Services, Martin Schäf Amazon Web Services, Aritra Sengupta Amazon Web Services, Willem Visser Amazon Web Services DOI Media Attached | ||
16:15 15mTalk | Static Executes-Before Analysis for Event Driven Programs Research Papers Rekha Pai IISc Bangalore, Abhishek Uppar IISc Bangalore, Akshatha Shenoy TCS Research, Pranshul Kushwaha IISc Bangalore, Deepak D'Souza IISc Bangalore DOI | ||
16:30 15mTalk | Security Code Smells in Apps: Are We Getting Better? Research Papers Steven Arzt Fraunhofer SIT; ATHENE DOI | ||
16:45 15mTalk | Large-Scale Analysis of Non-Termination Bugs in Real-World OSS Projects Research Papers Xiuhan Shi Tianjin University, Xiaofei Xie Singapore Management University, Yi Li Nanyang Technological University, Yao Zhang Tianjin University, Sen Chen Tianjin University, Xiaohong Li Tianjin University DOI | ||
17:00 15mTalk | On-the-Fly Syntax Highlighting using Neural Networks Research Papers Marco Edoardo Palma University of Zurich, Pasquale Salza University of Zurich, Harald Gall University of Zurich DOI Pre-print | ||
17:15 15mTalk | Declarative Smart Contracts Research Papers Haoxian Chen University of Pennsylvania, Gerald Whitters University of Pennsylvania, Mohammad Javad Amiri University of Pennsylvania, Yuepeng Wang Simon Fraser University, Boon Thau Loo University of Pennsylvania DOI | ||