{"id":"https://openalex.org/W7116836112","doi":"https://doi.org/10.1145/3727967.3756836","title":"Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability","display_name":"Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability","publication_year":2025,"publication_date":"2025-06-17","ids":{"openalex":"https://openalex.org/W7116836112","doi":"https://doi.org/10.1145/3727967.3756836"},"language":null,"primary_location":{"id":"doi:10.1145/3727967.3756836","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3727967.3756836","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 29th International Conference on Evaluation and Assessment in Software Engineering Companion","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3727967.3756836","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5063519333","display_name":"Haifa Al\u2010Shammare","orcid":"https://orcid.org/0009-0007-1522-1147"},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":true,"raw_author_name":"Haifa Al-Shammare","raw_affiliation_strings":["Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0009-0007-1522-1147","affiliations":[{"raw_affiliation_string":"Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040287420","display_name":"Rawan Talal Alraddadi","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Rawan Alraddadi","raw_affiliation_strings":["Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0000-0002-1696-8660","affiliations":[{"raw_affiliation_string":"Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5093868795","display_name":"Faten Al-Abdulwahhab","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Faten Al-Abdulwahhab","raw_affiliation_strings":["Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0009-0008-8956-5003","affiliations":[{"raw_affiliation_string":"Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5121058855","display_name":"Mahmood Khan Niazi","orcid":null},"institutions":[{"id":"https://openalex.org/I134085113","display_name":"King Fahd University of Petroleum and Minerals","ror":"https://ror.org/03yez3163","country_code":"SA","type":"education","lineage":["https://openalex.org/I134085113"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Mahmood Niazi","raw_affiliation_strings":["Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia"],"raw_orcid":"https://orcid.org/0000-0001-7318-7644","affiliations":[{"raw_affiliation_string":"Information and Computer Science Department, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia","institution_ids":["https://openalex.org/I134085113"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5027472030","display_name":"Mamoona Humayun","orcid":"https://orcid.org/0000-0001-6339-2257"},"institutions":[{"id":"https://openalex.org/I877107187","display_name":"University of Roehampton","ror":"https://ror.org/043071f54","country_code":"GB","type":"education","lineage":["https://openalex.org/I877107187"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Mamoona Humayun","raw_affiliation_strings":["University of Roehampton, London, United Kingdom"],"raw_orcid":"https://orcid.org/0000-0001-6339-2257","affiliations":[{"raw_affiliation_string":"University of Roehampton, London, United Kingdom","institution_ids":["https://openalex.org/I877107187"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5063519333"],"corresponding_institution_ids":["https://openalex.org/I134085113"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.73097698,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"117","last_page":"126"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.43320000171661377,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.43320000171661377,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.3093999922275543,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.14380000531673431,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/usability","display_name":"Usability","score":0.8267999887466431},{"id":"https://openalex.org/keywords/cognitive-walkthrough","display_name":"Cognitive walkthrough","score":0.6653000116348267},{"id":"https://openalex.org/keywords/heuristic-evaluation","display_name":"Heuristic evaluation","score":0.5629000067710876},{"id":"https://openalex.org/keywords/personalization","display_name":"Personalization","score":0.5401999950408936},{"id":"https://openalex.org/keywords/software-walkthrough","display_name":"Software walkthrough","score":0.5130000114440918},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.4991999864578247},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4959999918937683},{"id":"https://openalex.org/keywords/vulnerability-management","display_name":"Vulnerability management","score":0.4887000024318695},{"id":"https://openalex.org/keywords/usability-inspection","display_name":"Usability inspection","score":0.4862000048160553}],"concepts":[{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.8267999887466431},{"id":"https://openalex.org/C87105883","wikidata":"https://www.wikidata.org/wiki/Q1107002","display_name":"Cognitive walkthrough","level":4,"score":0.6653000116348267},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6341999769210815},{"id":"https://openalex.org/C3255780","wikidata":"https://www.wikidata.org/wiki/Q1616517","display_name":"Heuristic evaluation","level":3,"score":0.5629000067710876},{"id":"https://openalex.org/C183003079","wikidata":"https://www.wikidata.org/wiki/Q1000371","display_name":"Personalization","level":2,"score":0.5401999950408936},{"id":"https://openalex.org/C46110900","wikidata":"https://www.wikidata.org/wiki/Q11702993","display_name":"Software walkthrough","level":5,"score":0.5130000114440918},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.4991999864578247},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4959999918937683},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.4887000024318695},{"id":"https://openalex.org/C23456302","wikidata":"https://www.wikidata.org/wiki/Q7901668","display_name":"Usability inspection","level":4,"score":0.4862000048160553},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.4074000120162964},{"id":"https://openalex.org/C62993174","wikidata":"https://www.wikidata.org/wiki/Q2928808","display_name":"Usability goals","level":4,"score":0.40630000829696655},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.39879998564720154},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.3955000042915344},{"id":"https://openalex.org/C188688815","wikidata":"https://www.wikidata.org/wiki/Q7205541","display_name":"Pluralistic walkthrough","level":3,"score":0.37689998745918274},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3736000061035156},{"id":"https://openalex.org/C139225968","wikidata":"https://www.wikidata.org/wiki/Q17146354","display_name":"System usability scale","level":4,"score":0.3668999969959259},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.3407000005245209},{"id":"https://openalex.org/C63882131","wikidata":"https://www.wikidata.org/wiki/Q17122954","display_name":"Strengths and weaknesses","level":2,"score":0.31310001015663147},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.2985999882221222},{"id":"https://openalex.org/C4237393","wikidata":"https://www.wikidata.org/wiki/Q1636686","display_name":"Web usability","level":3,"score":0.29670000076293945},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.2955999970436096},{"id":"https://openalex.org/C100302975","wikidata":"https://www.wikidata.org/wiki/Q1642623","display_name":"Usability engineering","level":3,"score":0.28610000014305115},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.28540000319480896},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.26669999957084656},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.26420000195503235},{"id":"https://openalex.org/C89505385","wikidata":"https://www.wikidata.org/wiki/Q47146","display_name":"User interface","level":2,"score":0.2630999982357025},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.25870001316070557},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.2565999925136566},{"id":"https://openalex.org/C2778755073","wikidata":"https://www.wikidata.org/wiki/Q10858537","display_name":"Scale (ratio)","level":2,"score":0.25220000743865967}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3727967.3756836","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3727967.3756836","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 29th International Conference on Evaluation and Assessment in Software Engineering Companion","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3727967.3756836","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3727967.3756836","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 29th International Conference on Evaluation and Assessment in Software Engineering Companion","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":30,"referenced_works":["https://openalex.org/W814172419","https://openalex.org/W1761184020","https://openalex.org/W1913969462","https://openalex.org/W2557374108","https://openalex.org/W2560483663","https://openalex.org/W2773017930","https://openalex.org/W2804267743","https://openalex.org/W2811327923","https://openalex.org/W2892815795","https://openalex.org/W2955182064","https://openalex.org/W2968109196","https://openalex.org/W2982155348","https://openalex.org/W2985095280","https://openalex.org/W2994516867","https://openalex.org/W3000642371","https://openalex.org/W3006613871","https://openalex.org/W3037099619","https://openalex.org/W3038935150","https://openalex.org/W3112499362","https://openalex.org/W3116842536","https://openalex.org/W3132910239","https://openalex.org/W3153702491","https://openalex.org/W3159300567","https://openalex.org/W3170140511","https://openalex.org/W4206664668","https://openalex.org/W4240545424","https://openalex.org/W4399667987","https://openalex.org/W4403646757","https://openalex.org/W4405387008","https://openalex.org/W4407592327"],"related_works":[],"abstract_inverted_index":{"Detecting":[0],"security":[1,23,61],"vulnerabilities":[2,62,106,127,178],"early":[3,227],"in":[4,59,189,199,230],"the":[5,27,50,90,102,117,120,124,131,140,155,160,172,213,223],"software":[6,28,231],"development":[7],"lifecycle":[8],"can":[9],"significantly":[10],"reduce":[11],"costs,":[12],"maintenance,":[13],"and":[14,75,86,142,159,182,193,196,205,215],"time.":[15],"Research":[16],"has":[17],"shown":[18],"that":[19,168],"over":[20],"75%":[21],"of":[22,52,77,105,119,126,144,217],"breaches":[24],"stem":[25],"from":[26],"application":[29],"level.":[30],"Despite":[31],"many":[32],"methods":[33],"developed":[34],"to":[35,48,96,115],"detect":[36],"code":[37],"vulnerabilities,":[38],"effectively":[39],"addressing":[40],"this":[41],"issue":[42],"remains":[43],"challenging.":[44],"This":[45,208],"study":[46,209],"aims":[47],"evaluate":[49],"effectiveness":[51],"Static":[53],"Application":[54],"Security":[55],"Testing":[56],"(SAST)":[57],"tools":[58,95,121,132,225],"identifying":[60,176],"within":[63],"source":[64],"code.":[65],"The":[66,165],"evaluation":[67],"focuses":[68],"on":[69,123,202],"three":[70,78],"key":[71],"factors:":[72],"performance,":[73,175],"reporting,":[74,190],"usability":[76,148,200],"widely":[79],"used":[80],"SAST":[81,170,218],"tools\u2014Fortify":[82],"SCA,":[83,185],"Sparrow":[84,169],"SAST,":[85],"PVS-Studio.":[87,183],"To":[88],"conduct":[89],"evaluation,":[91],"we":[92],"applied":[93],"these":[94],"25":[97],"Java":[98],"test":[99],"cases,":[100],"estimating":[101],"total":[103],"number":[104,125],"detected":[107],"by":[108],"each":[109],"tool.":[110],"Statistical":[111],"analysis":[112],"was":[113,149,187],"performed":[114],"compare":[116],"performance":[118],"based":[122,201],"identified.":[128],"In":[129],"addition,":[130],"were":[133],"assessed":[134],"for":[135,226],"their":[136],"reporting":[137],"capabilities,":[138],"including":[139],"diversity":[141],"customization":[143],"report":[145],"types.":[146],"Finally,":[147],"evaluated":[150],"using":[151],"two":[152],"well-established":[153],"methods:":[154],"Heuristic":[156],"Walkthrough":[157],"Evaluation":[158],"System":[161],"Usability":[162],"Scale":[163],"(SUS).":[164],"results":[166],"show":[167],"had":[171],"best":[173],"detection":[174,229],"more":[177],"than":[179],"Fortify":[180,184],"SCA":[181],"however,":[186],"superior":[188],"offering":[191],"diverse":[192],"customizable":[194],"options,":[195],"ranked":[197],"highest":[198],"heuristic":[203],"walkthrough":[204],"SUS":[206],"evaluations.":[207],"offers":[210],"insights":[211],"into":[212],"strengths":[214],"weaknesses":[216],"tools,":[219],"helping":[220],"organizations":[221],"choose":[222],"right":[224],"vulnerability":[228],"development.":[232]},"counts_by_year":[],"updated_date":"2025-12-23T23:15:37.779995","created_date":"2025-12-23T00:00:00"}