Keypoints
- VIVID uses graph theory to analyze vulnerability data flows (VDFs) from SAST tools by constructing directed graphs of tainted data paths between application files.
- Nine graph metrics, including centrality measures and structural metrics like PageRank and modularity, were evaluated to assess their effectiveness in highlighting vulnerable code segments.
- Betweenness centrality, out-degree, in-eigenvector centrality, and cross-clique connectivity most accurately identified files critical to vulnerability propagation and optimal remediation targets.
- Two deliberately insecure Java applications, WebGoat and VeraDemo, served as experimental targets to validate the metrics against known vulnerable code files.
- Graph visualizations reveal clusters of vulnerabilities, enabling intuitive prioritization by development teams to reduce remediation workload while maximizing security gains.
- Substructure entropy was introduced as a measure to estimate refactoring effort required, especially useful for complex or third-party dependent code sections.
- The study suggests future work to incorporate vulnerability severity weights and finer granularity (function-level nodes) to further enhance remediation prioritization.
Security Problem
The paper addresses the limitations of current Static Application Security Testing (SAST) tools which primarily provide lists of vulnerabilities without visual context or insight into how tainted data propagates through application architectures. This lack of correlation analysis hinders development teams from efficiently prioritizing remediation across interconnected vulnerable code segments, leading to excessive code commits and suboptimal security improvements.
Methodology or Data
The authors collected vulnerability data flows from major SAST tools via Veracode’s API on two deliberately insecure Java applications, WebGoat and VeraDemo. They constructed directed graphs representing files as nodes and tainted data flows as edges, then analyzed nine graph-theoretic metrics—including centrality measures and structural metrics—to evaluate their capacity to highlight important nodes where vulnerabilities propagate. Graph visualization tools such as Gephi, along with R scripts, were used for analysis and metric computation.
Key Findings
Results show that metrics like betweenness centrality and cross-clique connectivity outperform simpler measures such as in-degree and PageRank in identifying crucial files involved in vulnerability dissemination. Betweenness centrality effectively highlights chokepoints for remediation that minimize code changes while maximizing vulnerability reduction. Substructure entropy can indicate the complexity and effort needed for code refactoring, particularly for third-party dependencies. These insights demonstrate the utility of graph-based analysis for providing an evidence-driven prioritized remediation list.
Operational Relevance
These findings equip SOC analysts and threat intelligence teams with a systematic approach to translate SAST data into actionable remediation priorities, focusing on files that act as vulnerability hotspots or propagation bridges. The approach promotes efficient security patching by targeting high-impact files first, reducing the overall remediation effort and risk exposure. Incorporating these graph metrics into existing workflows can enhance vulnerability triage and support better resource allocation for application security improvements.
The content featured on this site is sourced from arXiv.org, a free distribution service and open-access archive hosting over 2.4 million scholarly articles across a wide range of disciplines. This collection specifically highlights articles focused on cybersecurity, particularly topics relevant to threat intelligence and Security Operations Center (SOC) work.
Please note that materials on arXiv are not peer-reviewed, and are shared as preprints by the authors to foster early dissemination and feedback within the academic and professional community. I recommend using arXiv papers as a starting point for exploration and research, not as definitive sources. Always evaluate findings critically, and whenever possible, cross-check with peer-reviewed publications or operational validation.
Read more: https://arxiv.org/html/2505.16205v1