Project Group: AI-supported Security Testing (SecAI)
Apply several skills to build an AI enhanced IDE-plugin to support software developers in secure coding:
- Security & Cryptography
- Machine Learning & AI
- User Interface Design
- Software Engineering
You find yourself? Then this project group is for you!
Presentation
Project Group Goal
Abstract
We provide a solid and accurate static analysis tool (e.g. Cognicrypt). Your task is to develop a usable AI-enhanced UI plugin that will be accepted by developers and actively used in the long term.
Motivation
Our research group strives to develop state-of-the-art static analysis tools that are precise and sound. One of these is the SAST tool (Static Application Security Testing) CogniCrypt. Integrating analysis tools into easy-to-use software that supports software developers in creating secure software is the next step - you can be part of this process in this project group.
To support software developers efficiently, research has shown that we need early integration of these tools into the development process. This requires a user interface, e.g. an IDE plugin, in which the analysis results are visualized and presented to be actionable. To increase acceptance in the software developer community, we want to enrich the analysis results with the help of artificial intelligence to guide developers through the insights of the underlying static analysis tool.
Context
Cognicrypt is a standalone static analysis tool for the detection of cryptographic API Misuses. It consumes rulesets on how to securely and correctly use cryptographic APIs. These rulesets are defined in the domain-specific language CrySL. CogniCrypt's makes use of the allowlisting approach where the secure usage of APIs is defined and violations against such rules result in a warning.
Recently we published an enhancement of CogniCrypt's analysis algorithm that allows the precise detection of dependent errors. Such errors actually are best described as error trees where one subsequent error has several preceding errors. Identifying this relation between error allows for providing more actionable warning reports. However, we still need to develop a user interface to present such error trees. This will help developers understand vulnerabilities and their actual causation location in code which will make it easier to fix them.
For more details, check the paper: Supporting Error Chains in Static Analysis for Precise Evaluation Results and Enhanced Usability (accepted at SANER 2024)
Developing a usable presentation is one of the ideas on how to better support developers.
Further ideas include using machine learning to rank alerts according to the likelihood that it is a true positive, i.e. a real problem that needs to be fixed. In this way, we can present mainly the real warnings to developers. Hence, the pain of inaccurate results is addressed and the developer experiences high precision of the warnings, which decreases or even prevents time lost investigating low priority or false warnings.
For a similar approach, check the paper: ALETHEIA: Improving the Usability of Static Security Analysis by Tripp et al.
