Show/Hide Menu
Hide/Show Apps
Logout
Türkçe
Türkçe
Search
Search
Login
Login
OpenMETU
OpenMETU
About
About
Open Science Policy
Open Science Policy
Open Access Guideline
Open Access Guideline
Postgraduate Thesis Guideline
Postgraduate Thesis Guideline
Communities & Collections
Communities & Collections
Help
Help
Frequently Asked Questions
Frequently Asked Questions
Guides
Guides
Thesis submission
Thesis submission
MS without thesis term project submission
MS without thesis term project submission
Publication submission with DOI
Publication submission with DOI
Publication submission
Publication submission
Supporting Information
Supporting Information
General Information
General Information
Copyright, Embargo and License
Copyright, Embargo and License
Contact us
Contact us
ANALYSIS AND COMPARISON OF STATIC APPLICATION SECURITY TESTING TOOLS AND COMMON TOOL MECHANISMS
Download
Thesis-April_Final.pdf
İmza sayfası.pdf
Date
2026-4-14
Author
Seren, Ata
Metadata
Show full item record
This work is licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
.
Item Usage Stats
47
views
0
downloads
Cite This
Static Application Security Testing (SAST) tools play a critical role in identifying vulnerabilities during software development which enables early-stage security and mitigate security risks in production. However, their real-world effectiveness remains difficult to assess due to heavy reliance on synthetic benchmarks and aggregated evaluation metrics. This thesis examines the internal mechanisms underlying SAST tools, including how they parse source code, analyze syntactic and semantic structures and identify potential security weaknesses. A comparative analysis is conducted on a set of open-source SAST tools using a strict issue-level evaluation approach that measures performance based on individual actionable findings. The evaluation considers detection accuracy, false-positive/false-negative rates and programming language coverage across both benchmark datasets and intentionally vulnerable real-world applications. In addition to quantitative measurements, qualitative and mechanism-oriented evaluations such as employed analysis techniques and additional tool features are included to contextualize the experimental results. The findings show that no evaluated SAST tool achieves consistently strong detection performance across all languages and datasets under realistic conditions. Tools optimized for syntactic pattern matching perform well on benchmark-oriented scenarios but exhibit limitations in complex, framework-driven applications, while tools employing deeper, language-native semantic analysis provide improved precision within narrower ecosystems. Overall, the study highlights structural trade-offs between accuracy, usability, and analytical depth in current SAST designs, offering practical insights for tool selection and identifying areas for future improvement.
Subject Keywords
Static Application Security Testing (SAST)
,
application security
,
vulnerability detection
,
source code analysis
URI
https://hdl.handle.net/11511/119092
Collections
Graduate School of Informatics, Thesis
Citation Formats
IEEE
ACM
APA
CHICAGO
MLA
BibTeX
A. Seren, “ANALYSIS AND COMPARISON OF STATIC APPLICATION SECURITY TESTING TOOLS AND COMMON TOOL MECHANISMS,” M.S. - Master of Science, Middle East Technical University, 2026.
