We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles:
• Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming;
• Secure programming support should be provided while the code is being developed, integrated into the development tools;
• Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and
• Developers should be able to provide feedback about the application context that can drive customized security analysis.
We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code.
