English

From Detection to Prevention: Explaining Security-Critical Code to Avoid Vulnerabilities

Cryptography and Security 2026-02-03 v1 Artificial Intelligence Software Engineering

Abstract

Security vulnerabilities often arise unintentionally during development due to a lack of security expertise and code complexity. Traditional tools, such as static and dynamic analysis, detect vulnerabilities only after they are introduced in code, leading to costly remediation. This work explores a proactive strategy to prevent vulnerabilities by highlighting code regions that implement security-critical functionality -- such as data access, authentication, and input handling -- and providing guidance for their secure implementation. We present an IntelliJ IDEA plugin prototype that uses code-level software metrics to identify potentially security-critical methods and large language models (LLMs) to generate prevention-oriented explanations. Our initial evaluation on the Spring-PetClinic application shows that the selected metrics identify most known security-critical methods, while an LLM provides actionable, prevention-focused insights. Although these metrics capture structural properties rather than semantic aspects of security, this work lays the foundation for code-level security-aware metrics and enhanced explanations.

Keywords

Cite

@article{arxiv.2602.00711,
  title  = {From Detection to Prevention: Explaining Security-Critical Code to Avoid Vulnerabilities},
  author = {Ranjith Krishnamurthy and Oshando Johnson and Goran Piskachev and Eric Bodden},
  journal= {arXiv preprint arXiv:2602.00711},
  year   = {2026}
}

Comments

4 pages

R2 v1 2026-07-01T09:29:25.534Z