Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability

Haifa Al-Shammare; Rawan Alraddadi; Faten Al-Abdulwahhab; Mahmood Niazi; Mamoona Humayun

doi:10.1145/3727967.3756836

Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability

Haifa Al-Shammare
, Rawan Alraddadi
, Faten Al-Abdulwahhab
, Mahmood Niazi
, Mamoona Humayun

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Detecting security vulnerabilities early in the software development lifecycle can significantly reduce costs, maintenance, and time. Research has shown that over 75% of security breaches stem from the software application level. Despite many methods developed to detect code vulnerabilities, effectively addressing this issue remains challenging. This study aims to evaluate the effectiveness of Static Application Security Testing (SAST) tools in identifying security vulnerabilities within source code. The evaluation focuses on three key factors: performance, reporting, and usability of three widely used SAST tools - Fortify SCA, Sparrow SAST, and PVS-Studio. To conduct the evaluation, we applied these tools to 25 Java test cases, estimating the total number of vulnerabilities detected by each tool. Statistical analysis was performed to compare the performance of the tools based on the number of vulnerabilities identified. In addition, the tools were assessed for their reporting capabilities, including the diversity and customization of report types. Finally, usability was evaluated using two well-established methods: the Heuristic Walkthrough Evaluation and the System Usability Scale (SUS). The results show that Sparrow SAST had the best detection performance, identifying more vulnerabilities than Fortify SCA and PVS-Studio. Fortify SCA, however, was superior in reporting, offering diverse and customizable options, and ranked highest in usability based on heuristic walkthrough and SUS evaluations. This study offers insights into the strengths and weaknesses of SAST tools, helping organizations choose the right tools for early vulnerability detection in software development.

Original language	English
Title of host publication	Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025
Editors	Muhammad Ali Babar, Ayse Tosun, Stefan Wagner, Viktoria Stray
Publisher	Association for Computing Machinery, Inc
Pages	117-126
Number of pages	10
ISBN (Electronic)	9798400718328
DOIs	https://doi.org/10.1145/3727967.3756836
State	Published - 23 Dec 2025
Event	29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025 - Istanbul, Turkey Duration: 17 Jun 2025 → 20 Jun 2025

Publication series

Name	Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025

Conference

Conference	29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025
Country/Territory	Turkey
City	Istanbul
Period	17/06/25 → 20/06/25

Bibliographical note

Publisher Copyright:
© 2025 Copyright held by the owner/author(s).

Keywords

CWE
Comparative study
Fortify SCA
OWASP
PVS-Studio
Performance metrics
Reporting
Sparrow SAST
Static Application Security Testing (SAST)
Usability

ASJC Scopus subject areas

Software

Access to Document

10.1145/3727967.3756836

Cite this

Al-Shammare, H., Alraddadi, R., Al-Abdulwahhab, F., Niazi, M., & Humayun, M. (2025). Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability. In M. A. Babar, A. Tosun, S. Wagner, & V. Stray (Eds.), Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025 (pp. 117-126). (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025). Association for Computing Machinery, Inc. https://doi.org/10.1145/3727967.3756836

Al-Shammare, Haifa ; Alraddadi, Rawan ; Al-Abdulwahhab, Faten et al. / Evaluating the Effectiveness of SAST Tools : A Comparative Study on Vulnerability Detection, Reporting, and Usability. Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. editor / Muhammad Ali Babar ; Ayse Tosun ; Stefan Wagner ; Viktoria Stray. Association for Computing Machinery, Inc, 2025. pp. 117-126 (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025).

@inproceedings{8a434dd7b7614879b4698b2b318955bb,

title = "Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability",

abstract = "Detecting security vulnerabilities early in the software development lifecycle can significantly reduce costs, maintenance, and time. Research has shown that over 75\% of security breaches stem from the software application level. Despite many methods developed to detect code vulnerabilities, effectively addressing this issue remains challenging. This study aims to evaluate the effectiveness of Static Application Security Testing (SAST) tools in identifying security vulnerabilities within source code. The evaluation focuses on three key factors: performance, reporting, and usability of three widely used SAST tools - Fortify SCA, Sparrow SAST, and PVS-Studio. To conduct the evaluation, we applied these tools to 25 Java test cases, estimating the total number of vulnerabilities detected by each tool. Statistical analysis was performed to compare the performance of the tools based on the number of vulnerabilities identified. In addition, the tools were assessed for their reporting capabilities, including the diversity and customization of report types. Finally, usability was evaluated using two well-established methods: the Heuristic Walkthrough Evaluation and the System Usability Scale (SUS). The results show that Sparrow SAST had the best detection performance, identifying more vulnerabilities than Fortify SCA and PVS-Studio. Fortify SCA, however, was superior in reporting, offering diverse and customizable options, and ranked highest in usability based on heuristic walkthrough and SUS evaluations. This study offers insights into the strengths and weaknesses of SAST tools, helping organizations choose the right tools for early vulnerability detection in software development.",

keywords = "CWE, Comparative study, Fortify SCA, OWASP, PVS-Studio, Performance metrics, Reporting, Sparrow SAST, Static Application Security Testing (SAST), Usability",

author = "Haifa Al-Shammare and Rawan Alraddadi and Faten Al-Abdulwahhab and Mahmood Niazi and Mamoona Humayun",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025 ; Conference date: 17-06-2025 Through 20-06-2025",

year = "2025",

month = dec,

day = "23",

doi = "10.1145/3727967.3756836",

language = "English",

series = "Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025",

publisher = "Association for Computing Machinery, Inc",

pages = "117--126",

editor = "Babar, \{Muhammad Ali\} and Ayse Tosun and Stefan Wagner and Viktoria Stray",

booktitle = "Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025",

}

Al-Shammare, H, Alraddadi, R, Al-Abdulwahhab, F, Niazi, M & Humayun, M 2025, Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability. in MA Babar, A Tosun, S Wagner & V Stray (eds), Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025, Association for Computing Machinery, Inc, pp. 117-126, 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025, Istanbul, Turkey, 17/06/25. https://doi.org/10.1145/3727967.3756836

Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability. / Al-Shammare, Haifa; Alraddadi, Rawan; Al-Abdulwahhab, Faten et al.
Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. ed. / Muhammad Ali Babar; Ayse Tosun; Stefan Wagner; Viktoria Stray. Association for Computing Machinery, Inc, 2025. p. 117-126 (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Evaluating the Effectiveness of SAST Tools

T2 - 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025

AU - Al-Shammare, Haifa

AU - Alraddadi, Rawan

AU - Al-Abdulwahhab, Faten

AU - Niazi, Mahmood

AU - Humayun, Mamoona

PY - 2025/12/23

Y1 - 2025/12/23

N2 - Detecting security vulnerabilities early in the software development lifecycle can significantly reduce costs, maintenance, and time. Research has shown that over 75% of security breaches stem from the software application level. Despite many methods developed to detect code vulnerabilities, effectively addressing this issue remains challenging. This study aims to evaluate the effectiveness of Static Application Security Testing (SAST) tools in identifying security vulnerabilities within source code. The evaluation focuses on three key factors: performance, reporting, and usability of three widely used SAST tools - Fortify SCA, Sparrow SAST, and PVS-Studio. To conduct the evaluation, we applied these tools to 25 Java test cases, estimating the total number of vulnerabilities detected by each tool. Statistical analysis was performed to compare the performance of the tools based on the number of vulnerabilities identified. In addition, the tools were assessed for their reporting capabilities, including the diversity and customization of report types. Finally, usability was evaluated using two well-established methods: the Heuristic Walkthrough Evaluation and the System Usability Scale (SUS). The results show that Sparrow SAST had the best detection performance, identifying more vulnerabilities than Fortify SCA and PVS-Studio. Fortify SCA, however, was superior in reporting, offering diverse and customizable options, and ranked highest in usability based on heuristic walkthrough and SUS evaluations. This study offers insights into the strengths and weaknesses of SAST tools, helping organizations choose the right tools for early vulnerability detection in software development.

AB - Detecting security vulnerabilities early in the software development lifecycle can significantly reduce costs, maintenance, and time. Research has shown that over 75% of security breaches stem from the software application level. Despite many methods developed to detect code vulnerabilities, effectively addressing this issue remains challenging. This study aims to evaluate the effectiveness of Static Application Security Testing (SAST) tools in identifying security vulnerabilities within source code. The evaluation focuses on three key factors: performance, reporting, and usability of three widely used SAST tools - Fortify SCA, Sparrow SAST, and PVS-Studio. To conduct the evaluation, we applied these tools to 25 Java test cases, estimating the total number of vulnerabilities detected by each tool. Statistical analysis was performed to compare the performance of the tools based on the number of vulnerabilities identified. In addition, the tools were assessed for their reporting capabilities, including the diversity and customization of report types. Finally, usability was evaluated using two well-established methods: the Heuristic Walkthrough Evaluation and the System Usability Scale (SUS). The results show that Sparrow SAST had the best detection performance, identifying more vulnerabilities than Fortify SCA and PVS-Studio. Fortify SCA, however, was superior in reporting, offering diverse and customizable options, and ranked highest in usability based on heuristic walkthrough and SUS evaluations. This study offers insights into the strengths and weaknesses of SAST tools, helping organizations choose the right tools for early vulnerability detection in software development.

KW - CWE

KW - Comparative study

KW - Fortify SCA

KW - OWASP

KW - PVS-Studio

KW - Performance metrics

KW - Reporting

KW - Sparrow SAST

KW - Static Application Security Testing (SAST)

KW - Usability

UR - https://www.scopus.com/pages/publications/105026945428

U2 - 10.1145/3727967.3756836

DO - 10.1145/3727967.3756836

M3 - Conference contribution

AN - SCOPUS:105026945428

T3 - Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025

SP - 117

EP - 126

BT - Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025

A2 - Babar, Muhammad Ali

A2 - Tosun, Ayse

A2 - Wagner, Stefan

A2 - Stray, Viktoria

PB - Association for Computing Machinery, Inc

Y2 - 17 June 2025 through 20 June 2025

ER -

Al-Shammare H, Alraddadi R, Al-Abdulwahhab F, Niazi M, Humayun M. Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability. In Babar MA, Tosun A, Wagner S, Stray V, editors, Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. Association for Computing Machinery, Inc. 2025. p. 117-126. (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025). doi: 10.1145/3727967.3756836

Evaluating the Effectiveness of SAST Tools: A Comparative Study on Vulnerability Detection, Reporting, and Usability

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this