Foraging-Theoretic Tool Composition: An Empirical Study on Vulnerability Discovery

• Published in: 2021 IEEE 22nd International Conference on Information Reuse and Integration for Data Science (IRI) pp. 139 - 146
• Main Authors: Assarandarban, Mona, Bhowmik, Tanmay, Do, Anh Quoc, Chekuri, Surendra, Wang, Wentao, Niu, Nan
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.08.2021
• Subjects: design science; empirical study; Information foraging theory; tool design patterns; vulnerability discovery
• DOI: 10.1109/IRI51335.2021.00025

Discovering vulnerabilities is an information-intensive task that requires a developer to locate the defects in the code that have security implications. The task is difficult due to the growing code complexity and some developer's lack of security expertise. Although tools have been created to ease the difficulty, no single one is sufficient. In practice, developers often use a combination of tools to uncover vulnerabilities. Yet, the basis on which different tools are composed is under explored. In this paper, we examine the composition base by taking advantage of the tool design patterns informed by foraging theory. We follow a design science methodology and carry out a three-step empirical study: mapping 34 foraging-theoretic patterns in a specific vulnerability discovery tool, formulating hypotheses about the value and cost of foraging when considering two composition scenarios, and performing a human-subject study to test the hypotheses. Our work offers insights into guiding developers' tool usage in detecting software vulnerabilities.