A Security Perspective on Code Review: The Case of Chromium

Biase, Marco di; Bruntink, Magiel; Bacchelli, Alberto

doi:10.1109/scam.2016.30

Cited by 26 publications

(25 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors' results indicate relatively low effectiveness in vulnerability detection. In line with these results, di Biase et al [30] found that approximately only 1% of Chromium's review comments are about potential security flaws. While these studies [27]- [30] mainly focus on the effectiveness of code review on vulnerability detection, our study investigates whether developers can(not) detect vulnerabilities (specifically IIV) during code review and the underlying causes with a focus on developers' knowledge and mindset.…”

Section: Re L a T E D Wo R Kmentioning

confidence: 82%

Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --

Braz

Fregnan

Çalıklı

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

Improper Input Validation (IIV) is a software vulnerability that occurs when a system does not safely handle input data. Even though IIV is easy to detect and fix, it still commonly happens in practice.In this paper, we study to what extent developers can detect IIV and investigate underlying reasons. This knowledge is essential to better understand how to support developers in creating secure software systems. We conduct an online experiment with 146 participants, of which 105 report at least three years of professional software development experience. Our results show that the existence of a visible attack scenario facilitates the detection of IIV vulnerabilities and that a significant portion of developers who did not find the vulnerability initially could identify it when warned about its existence. Yet, a total of 60 participants could not detect the vulnerability even after the warning. Other factors, such as the frequency with which the participants perform code reviews, influence the detection of IIV.

show abstract

Section: Re L a T E D Wo R Kmentioning

confidence: 82%

Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --

Braz

Fregnan

Çalıklı

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Thongtanunam et al [43] evaluated the impact that characteristics of MCR practices have on software quality, studying MCR practices in defective and clean source code files. Di Biase et al [22] analyzed the Chromium system to understand the impact of MCR on finding security issues, showing that the majority of missed security flaws relate to language-specific issues. However, these studies, as well as most of the current literature on contemporary code review, either focus on production files only or do not explicitly differentiate production from test code.…”

Section: Background and Motivationmentioning

confidence: 99%

When testing meets code review

Spadini¹,

Aniche

Storey

et al. 2018

Proceedings of the 40th International Conference on Software Engineering

Self Cite

View full text Add to dashboard Cite

Automated testing is considered an essential process for ensuring software quality. However, writing and maintaining high-quality test code is challenging and frequently considered of secondary importance. For production code, many open source and industrial software projects employ code review, a well-established software quality practice, but the question remains whether and how code review is also used for ensuring the quality of test code. The aim of this research is to answer this question and to increase our understanding of what developers think and do when it comes to reviewing test code. We conducted both quantitative and qualitative methods to analyze more than 300,000 code reviews, and interviewed 12 developers about how they review test files. This work resulted in an overview of current code reviewing practices, a set of identified obstacles limiting the review of test code, and a set of issues that developers would like to see improved in code review tools. The study reveals that reviewing test files is very different from reviewing production files, and that the navigation within the review itself is one of the main issues developers currently face. Based on our findings, we propose a series of recommendations and suggestions for the design of tools and future research. CCS CONCEPTS• Software and its engineering → Software testing and debugging;

show abstract

“…Moreover, historical evidence provides several examples of individual cases that contributed to discovery in physics, economics, and social science (see "Five misunderstandings about case-study research" by Flyvjerg [20]). Even in the SE domain case studies of the Chromium project [14], [17], Apache case study by Mockus et al [42], and Mozilla case study by Khomh et al [26] have provided important insights. To promote building knowledge through families of experiments, as championed by Basili [5], we have made our dataset and scripts publicly available [48].…”

Section: Th R E a T S T O Va L I D I T Ymentioning

confidence: 99%

Why Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project

Paul

Turzo

Bosu

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Peer code review has been found to be effective in identifying security vulnerabilities. However, despite practicing mandatory code reviews, many Open Source Software (OSS) projects still encounter a large number of post-release security vulnerabilities, as some security defects escape those. Therefore, a project manager may wonder if there was any weakness or inconsistency during a code review that missed a security vulnerability. Answers to this question may help a manager pinpointing areas of concern and taking measures to improve the effectiveness of his/her project's code reviews in identifying security defects. Therefore, this study aims to identify the factors that differentiate code reviews that successfully identified security defects from those that missed such defects.With this goal, we conduct a case-control study of Chromium OS project. Using multi-stage semi-automated approaches, we build a dataset of 516 code reviews that successfully identified security defects and 374 code reviews where security defects escaped. The results of our empirical study suggest that the are significant differences between the categories of security defects that are identified and that are missed during code reviews. A logistic regression model fitted on our dataset achieved an AUC score of 0.91 and has identified nine code review attributes that influence identifications of security defects. While time to complete a review, the number of mutual reviews between two developers, and if the review is for a bug fix have positive impacts on vulnerability identification, opposite effects are observed from the number of directories under review, the number of total reviews by a developer, and the total number of prior commits for the file under review.

show abstract

A Security Perspective on Code Review: The Case of Chromium

Cited by 26 publications

References 23 publications

Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --

Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; --

When testing meets code review

Why Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project

Contact Info

Product

Resources

About