October 20, 2018
Hot Topics:

Report: Bug Finders Spot Only 2% of Vulnerabilities

  • July 11, 2016
  • By Developer.com Staff

Many developers rely on bug finders to help them root out security vulnerabilities, but a new paper says those tools miss 98 percent of bugs. Researchers from New York University's Tandon School of Engineering, the MIT Lincoln Laboratory and Northeastern University developed a new technique called Large-Scale Automated Vulnerability Addition (LAVA), which adds known vulnerabilities to source code in order to benchmark the abilities of bug finders. When the researchers tested today's popular bug finders with the LAVA approach, the tools identified only 2 percent of the bugs LAVA added to the source code.

"There has never been a performance benchmark at this scale in this area, and now we have one," said Brendan Dolan-Gavitt, an assistant professor of computer science and engineering at NYU Tandon. "Developers can compete for bragging rights on who has the highest success rate in bug-finding, and the programs that will come out of the process could be stronger."

View article

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that developer.com may send you developer offers via email, phone and text message, as well as email offers about other products and services that developer believes may be of interest to you. developer will process your information in accordance with the Quinstreet Privacy Policy.


Thanks for your registration, follow us on our social networks to keep up-to-date