Semantic Similarity-Based Clustering of Findings From Security Testing Tools

by   Phillip Schneider, et al.

Over the last years, software development in domains with high security demands transitioned from traditional methodologies to uniting modern approaches from software development and operations (DevOps). Key principles of DevOps gained more importance and are now applied to security aspects of software development, resulting in the automation of security-enhancing activities. In particular, it is common practice to use automated security testing tools that generate reports after inspecting a software artifact from multiple perspectives. However, this raises the challenge of generating duplicate security findings. To identify these duplicate findings manually, a security expert has to invest resources like time, effort, and knowledge. A partial automation of this process could reduce the analysis effort, encourage DevOps principles, and diminish the chance of human error. In this study, we investigated the potential of applying Natural Language Processing for clustering semantically similar security findings to support the identification of problem-specific duplicate findings. Towards this goal, we developed a web application for annotating and assessing security testing tool reports and published a human-annotated corpus of clustered security findings. In addition, we performed a comparison of different semantic similarity techniques for automatically grouping security findings. Finally, we assess the resulting clusters using both quantitative and qualitative evaluation methods.


page 1

page 2

page 3

page 4


Risk Assessment, Threat Modeling and Security Testing in SDLC

The software development process is considered as one of the key guideli...

An Empirical Study of Automation in Software Security Patch Management

Several studies have shown that automated support for different activiti...

Secure Software Development Methodologies: A Multivocal Literature Review

In recent years, the number of cyber attacks has grown rapidly. An effec...

Using a Semantic Knowledge Base to Improve the Management of Security Reports in Industrial DevOps Projects

Integrating security activities into the software development lifecycle ...

"False negative – that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing

The demand for automated security analysis techniques, such as static an...

Communicating on Security within Software Development Issue Tracking

During software development, balancing security and non security issues ...

Metamorphic Testing for Web System Security

Security testing aims at verifying that the software meets its security ...

Please sign up or login with your details

Forgot password? Click here to reset