Organizer: Stefanie Kettler, TU Darmstadt

Abstract

The use of Static Application Security Testing (SAST) tools to support developers has become increasingly important in modern software development due to the growing complexity of programs and the rising number of cybersecurity threats. However, these tools often suffer from usability limitations, making it challenging for developers to effectively address the detected vulnerabilities.

To better understand the usability challenges faced when using SAST tools, we examined existing literature which define the usability criteria for existing SAST tools, along with introducing new criteria related to the capabilities of AI to further enhance the user experience. We are building a tool which aims to satisfy these criteria, by creating a modern user experience, and leveraging the power of AI to provide more features.

Currently, usability-enhancing features are being developed as a SonarQube plugin that integrates CogniCrypt as a SAST tool. The prototype under development displays the security violations in the analyzed code. The proposed plugin will further provide detailed descriptions and leverage AI to provide enhanced solutions to resolve security issues more effectively.

With the current progress, the developing plugin shows potential in improving usability and effectiveness of SAST tools by providing an improved user experience and a better understanding of security violations. Further plans of extending the plugin with additional features such as AI solutions and IDE integration should help developers by reducing the cognitive load and streamlining the coding process, making security tools more accessible and practical for real-world software development.

Speaker Bio

Michael Schlichtig studied computer science at the University of Paderborn with a semester abroad at the University of Oklahoma and graduated with a Master of Science in 2018.

Following his studies, Mr. Schlichtig first started a PhD position in Computer Education Research and moved to the Secure Software Engineering department under the supervision of Prof. Dr. Eric Bodden at the Heinz Nixdorf Institute in 2019. Since 2020, Mr. Schlichtig is a member of the Collaborative Research Center 1119 CROSSING at the TU Darmstadt. Within the CRC, Mr. Schlichtig is working on the secure integration of cryptographic code in subproject E1 and supervises the development of the static analysis tool CogniCrypt for the detection of misuse of cryptographic APIs.

Within his PhD, Mr. Schlichtig is working on helping Java developers reduce API misuses. His research includes benchmarking of static analysis tools, improving static analysis algorithms, and the usability of static analysis tools to better support developers.

Markus Schmidt studied information systems at the University of Paderborn and graduated with a Bachelor of Science in 2022.

Following his studies he started working as the lead software engineer in a BMBF-funded project to develop a static analysis tool for API Misuse detection in the Secure Software Engineering department of Prof. Dr. Eric Bodden at the Heinz Nixdorf Institute in 2023. Since 2024, Mr. Schmidt has been associated with the Collaborative Research Center 1119 CROSSING at the TU Darmstadt. He is involved in many projects around static analysis, including being a maintainer of the Static Analysis Framework SootUp, further maintaining and developing static analysis tools as well as supervising a project group to research and develop usability improvements for Static analysis tools.