**1. Introduction**

Computing systems face serious threats from attackers on a day-to-day basis. Devices within a network could be targeted or used as launching pads to spawn malware and other attacks to critical systems and infrastructure. A system is as secure as its weakest link [1]. Therefore, software engineers must be cognizant of the cyber-related challenges that plague modern computer systems and engineer software with credible defenses. One of the first defenses against potential threats to computer systems is careful analysis of program code during development and taking necessary steps to minimize/eliminate vulnerabilities.

Program analysis falls into three main categories: static application security testing (SAST) or static analysis, dynamic application security testing (DAST) or dynamic analysis, and interactive application security testing (IAST). Static analysis is a "technique in which code listings, test results, or other documentation are … examined … to identify errors, violations of development standards, or other problems" [2]. Dynamic analysis is the "process of evaluating a system or component based on its behavior during execution" [2]. IAST involves instrumenting a

program with sensors to monitor program code in memory during execution in order to find specific events that could cause vulnerabilities [3]. Two or more of these approaches may be combined to create hybrid tools and techniques for analyzing program code. These hybrid systems are designed to achieve more comprehensive coverage and to decrease the false positives and false negatives of existing approaches.

While researchers are interested in designing sound and complete code analysis tools, achieving soundness and completeness remains an intractable problem [4–6]. Consequently, a lot of research in code analysis is centered on improving the alerts of static analysis tools [4, 7]. More recently, several researchers have proposed models based on deep learning and other machine learning approaches to scan and fix vulnerabilities in program code [8]. Many of these tools are still at an infant stage and have not yet made it to market. Based on current trends, we believe that the future of code analysis will involve more refined tools based on artificial intelligence (AI), machine learning, and other hybrid approaches.

In this work, we propose a hybrid code analysis framework that employs the use of voice assistants (VAs) to allow a programmer to conversationally scan for and fix potential vulnerabilities in program code. The use of voice assistants have grown significantly in recent years. This work focuses primarily on the Google Assistant<sup>1</sup> as it is the most popular [9] among other virtual assistants.

The rest of the chapter is organized as follows: first, we discuss related work in the area of hybrid analysis in Section 2 followed by a discussion on challenges affecting adoption of existing approaches in Section 3. In Section 4, we theorize about the future of secure coding and propose a new code analysis approach in Section 5. We then use a case study to evaluate our proposed approach in Section 6 and present our conclusion in Section 7.
