Motivations for the Paper

• A study we conducted shows that 70% of the vulnerabilities involve fixes to them through new code, that is, adding a new functionality that will render the attack ineffective
• 45% of the vulnerabilities that formed a part of the study were from the CWE top 25 vulnerabilities
• Since most vulnerability fixes involved new code, static analyzers could be rendered ineffective
• Developers might not have time to learn about all the vulnerabilities and would be benefitted by a tool that will point the potential places where the code is vulnerable