Over the years we've had many cases where AppScan users approached our support teams with what they claimed were false positive reports. But when our security experts looked into the details, they turned out to be actual security problems. It happens. We refer to such cases as perceived false positives. These are cases where AppScan found correct issues, but failed to communicate them to the users clearly enough.
At the end of the day, our end users are just people. If AppScan fails to explain itself clearly, it's our problem, not the user's. It's important that we find ways to explain our security findings clearly, simply, and in a convincing way.
So when we set out to write the JSA component in AppScan, we looked for a fresh new way of presenting static analysis results in a manner that is readable and understandable in the simplest possible way.
Some background: the kind of results we deal with involve a data-flow trace. This is somewhat similar to a debugger stack trace, but showing a sequence of locations in source code where data flows through. How do you visualize such data?
Look at what we have today in static analysis tools. The view for presenting results is often quite complex. It features multiple panes. It expects the user to review the data-flow trace by interacting with a "Trace" view. Click on an item there and it changes the source view at some other pane. By going back and forth between all the steps on the trace, the user is expected to understand the data-flow trace well enough to determine whether the issue is a false positive or not. Often, this can be quite involved.
We wanted something simpler.
Here's the idea: we can make the mental process of reviewing a data-flow trace easier, by presenting the trace in a single, linear, scrollable view. In this view, steps appear in linear sequence, each one leading to the next. The user can simply scroll through the view, from top to bottom, to see the entire trace, without having to interact with the view. No double-click to zoom, no expand/collapse. Just follow the arrows from top to bottom. Notice how the same file can appear twice (in this example, once at the top, and again at the bottom):
Isn't that great? We were really excited about this concept. With all the static analysis tools that are out there, nobody has ever presented data-flow results in this way. We went ahead and implemented it in JSA. Only the cool arrows are missing, since they were a bit more expensive to implement :) Here's how it actually looks like:
The feedback so far has been very positive. People are finding this view simple and intuitive. It allows our users to make sense of our results, making it easy to review and triage the findings.
I guess the bottom line here is this: understanding results of static analysis is hard enough; our UI shouldn't make it any harder than it already is.
What do you think? Would you like to see this implemented in other static analysis tools? Leave a comment with your thoughts.