Score
Secure coding practices encompass writing code that resists common vulnerabilities by validating and sanitizing inputs, applying least privilege, using safe APIs, managing secrets, keeping dependencies updated, and employing static/dynamic analysis and OWASP guidelines to prevent SQL injection, XSS, buffer overflows, and similar issues.
This study addresses the inconsistent quality of freely available online web security tutorials, which often lack executable code and authoritative resource references, thereby limiting their practical utility for developers. The authors systematically evaluate 132 such tutorials and propose, for the first time, “executable code” and “citations to official resources” as key indicators of tutorial effectiveness. Through manual content analysis, they assess and categorize the tutorials across multiple dimensions—including topic coverage, author background, technical depth, and use of authoritative standards such as OWASP, CWE, and CVE. Findings reveal that most tutorials are vendor-provided and focus primarily on conceptual explanations, with only a minority offering complete, runnable code or linking to established security standards. This work provides developers with an evidence-based framework for identifying high-quality learning materials in web security.
This study addresses the low industrial adoption of secure web application coding practices by systematically analyzing organizational, educational, and technical barriers. Methodologically, it develops a structured threat classification framework grounded in OWASP Top 10, integrating DevSecOps and cloud security contexts; conducts a comparative analysis of secure coding practices across mainstream web frameworks; and—novelly—empirically evaluates large language models (LLMs) on vulnerability detection and secure code generation for four critical vulnerability classes: SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure deserialization. The approach combines systematic literature review, threat modeling, framework-level comparative analysis, and LLM-driven empirical evaluation. Results demonstrate LLMs’ measurable efficacy—and clear limitations—in automated vulnerability identification and remediation suggestion. The work delivers an integrable, intelligent secure coding assistance framework, offering practitioners, educators, and researchers actionable insights to enhance secure development efficiency and inform future AI-augmented security tooling.
This work addresses the critical issue that large language models (LLMs) often generate functionally correct yet insecure code. To tackle this, we propose a three-round dynamic reflection prompting method for security-driven code generation. Our approach integrates the Instruct Prime evaluation framework under a zero-shot setting and introduces an Insecure Code Detector (ICD) to identify vulnerabilities, quantifying security performance via Repair, Regression, and NetGain metrics. Experiments demonstrate an average improvement in security accuracy from 70.74% to 79.43%, with the first two reflection rounds delivering the majority of gains. Security enhancements are most pronounced for Python, while C/C# show more limited improvements. The method excels at mitigating template-based vulnerabilities—such as XSS and hardcoded secrets—but exhibits lower efficacy against non-template ones. To our knowledge, this is the first work to systematically apply multi-round reflection for code security enhancement, establishing a scalable, security-aware paradigm for LLM-based code generation.
Existing security-coding datasets suffer from insufficient grounding in real-world security incidents, limited scale, and absence of production-environment operational context—hindering robust AI model training and practical deployment. To address this, we propose an *incident-grounded* construction paradigm and introduce the first production-grade security-coding dataset: comprising 1,215 CVE-anchored vulnerability–patch code pairs across 11 risk categories and 11 programming languages. It features a four-turn dialogue structure to simulate human–AI collaboration, integrates SIEM policies, infrastructure hardening (Docker/AppArmor/WAF), and language-specific testing frameworks. We establish a structured validation framework, multilingual security test suites, and an extended OWASP Top 10:2025+AI threat taxonomy. The dataset is partitioned into 989/122/104 samples for training/validation/testing and is fully open-sourced. Empirical evaluation demonstrates substantial improvement in model-generated code’s security compliance rate.
This work addresses the persistent challenge of content composition vulnerabilities in software, which remain difficult to mitigate through developer training, static analysis, or templating languages, and are often reproduced in AI-generated code. The paper proposes a general-purpose secure content composition framework that incrementally extends the string expression syntax of general-purpose programming languages to enable precise security analysis and optimization at compile time. Its core innovation lies in a language design principle that minimizes the lexical distance between secure and insecure idioms, combined with dynamic-semantics-informed static analysis, compile-time diagnostics, and library-based encapsulation of secure logic. This approach facilitates collaborative remediation by both developers and AI systems, offering strong compile-time safety guarantees while maintaining performance comparable to native string concatenation, thereby significantly enhancing both the security and usability of string composition.
This study addresses the significant inaccuracies of existing static analysis tools in evaluating the security of code generated by large language models (LLMs), which often fail to reliably identify genuine vulnerabilities. The work presents the first systematic investigation of this issue and introduces a human-verified benchmark dataset of secure and vulnerable code samples to assess the performance of widely used tools such as CodeQL and Semgrep, revealing sample-level accuracy rates of only 61% and 65%, respectively. To mitigate these limitations, the authors propose a dynamic retrieval-augmented generation (RAG) framework that integrates continuous human feedback, enabling persistent knowledge reuse and iterative improvement of security capabilities. Experimental results demonstrate that this approach substantially enhances the accuracy and reliability of LLMs in both secure code generation and vulnerability detection.
Existing approaches to secure code generation lack robustness validation under adversarial prompts, and their security and functional evaluations are often decoupled, leading to inflated performance claims. This work proposes the first adversarial evaluation framework specifically designed for secure code generation systems, which jointly assesses both security and functionality of prominent methods—SVEN, SafeCoder, and PromSec—under unified conditions. The framework simulates realistic development or attack scenarios through prompt perturbations, including rewriting, cue inversion, and context manipulation. Experiments reveal that static analyzers overestimate security by 7–21×, and 37%–60% of outputs deemed “secure” are in fact non-functional. Under adversarial perturbations, the rate of truly secure and usable code drops sharply to 3%–17%. This study establishes a joint evaluation paradigm and best practices that holistically account for both security and functionality.
This study investigates the impact of minimal prompt perturbations on the security of code generated by large language models. By introducing single-character perturbations across three prominent models and five programming languages, the authors systematically analyze the mechanisms through which such subtle changes induce security vulnerabilities, leveraging token-level mutations, hidden state probing, and AUC-based evaluation. The work reveals for the first time that even a single-character modification can transform otherwise secure code into vulnerable outputs. Furthermore, input-handling vulnerabilities (AUC = 0.753) are shown to be more predictable than those related to insecure defaults (AUC = 0.674). Building on these findings, the paper proposes differentiated defense strategies, including pre-generation detection and in-decoding intervention, to mitigate the risks posed by prompt-level perturbations.
Developers often inadvertently introduce vulnerabilities due to insufficient security knowledge and code complexity, while traditional tools only detect issues post hoc, incurring high remediation costs. This work proposes a proactive prevention approach that identifies methods implementing security-critical functionalities—such as authentication and input handling—using code-level security-aware metrics. These metrics are integrated with a large language model (LLM) to generate actionable, preventive explanations, which are embedded directly into the development workflow to enhance secure coding practices. A prototype plugin implemented in IntelliJ IDEA was evaluated on the Spring-PetClinic application, demonstrating that the selected metrics effectively pinpoint known security-critical methods and that the LLM-generated explanations are both practical and prevention-oriented.
This work addresses the persistent issue that large language models frequently introduce verifiable security vulnerabilities in code generation, even when explicitly instructed to avoid them. To mitigate this, the authors propose SecureForge, the first framework that automatically refines system prompts using vulnerability audit feedback. By identifying benign prompts that inadvertently induce vulnerabilities, SecureForge employs Markov-chain sampling to generate diverse synthetic training data and iteratively optimizes system prompts—achieving zero-shot generalization without relying on real user data. Experimental results demonstrate that this approach reduces security vulnerabilities by up to 48% across mainstream large language models while maintaining or improving unit test pass rates, thereby achieving a Pareto improvement in both security and functional correctness.
JavaScript code obfuscation can evade static application security testing (SAST) tools, leading to undetected vulnerabilities and a false sense of security in the software supply chain. This work constructs a realistic threat model for software supply chains and presents the first systematic evaluation of eight semantics-preserving obfuscation techniques—individually and in combination—against mainstream JavaScript SAST tools, namely Njsscan and Bearer. Through a two-phase empirical analysis using both OWASP Benchmark applications and real-world GitHub projects, the study introduces a quantitative metric termed Vulnerability Detection Loss (VDL). Results demonstrate that even a single obfuscation technique significantly suppresses the detection of high-severity vulnerabilities, while multiple combined obfuscations drive VDL close to 100%, exposing fundamental fragility and a critical lack of robustness in current SAST tools when confronted with common obfuscation strategies.