search menu icon-carat-right cmu-wordmark

On the Wasted DevOps Cycles Caused by False Positive Bug Reports

June 2021 Presentation

This talk by Munawar Hafiz, Founder and CEO at OpenRefactory, Inc., was presented at DevSecOps Days Pittsburgh 2021.

Publisher:

Software Engineering Institute

Abstract

SAST tools operate with an over 50% false-positive rate, meaning for every two bugs identified by the tools, one of them is not a bug. This takes developers into long, boring, and unproductive triaging sessions and is a major contributor to the wasted DevOps cycles. This talk focuses on the current and emerging challenges that make writing precise tools even harder. The push towards microservices means software broken into many parts and therefore the context useful for program analysis is unavailable. This information should be stitched to get a complete picture, but doing it on a case-by-case basis does not scale. Current tool builders should start designing tools for that future if they have not done so already. The talk will also focus on how bug detection tools should be integrated with the developer's daily routine to fix bugs earlier. These tweaks will make a major dent in reducing the billions of dollars of intellectual waste.

Munawar Hafiz is the founder and CEO of OpenRefactory, Inc., an application security company that intends to improve the way that developers write secure, reliable, and compliant code. Munawar had a body of work on automated bug fixing in academia which lays the foundation for OpenRefactory. He is a champion of pushing SAST tools for better precision and introducing code rewriting capabilities to fix bugs automatically.

Download the graphic recording or watch the video on YouTube or below: