Identifying the characteristics of vulnerable code changes: an empirical study

Bosu, Amiangshu; Carver, Jeffrey C.; Hafiz, Munawar; Hilley, Patrick; Janni, Derek

doi:10.1145/2635868.2635880

Cited by 98 publications

(95 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bosu et al [7] and Bosu [6] performed a study on the characteristics of vulnerable code changes. The study found that careful review should be done to modified files and that code changes are made often by less-experienced developers.…”

Section: Related Workmentioning

confidence: 99%

“…There are extensive work on techniques, tools, and processes to develop a secure development process, including the development of secure software using the agile approach [5] and identification of characteristics of vulnerable code change [7]. This study enumerates the security aspects that the developers address when they modify their software.…”

Section: Impact Of the Studymentioning

confidence: 99%

See 1 more Smart Citation

The current practices of changing secure software

Jamil

Othmane

Valani

et al. 2020

Proceedings of the 35th Annual ACM Symposium on Applied Computing

View full text Add to dashboard Cite

Developers change the code of their software to add new features, fix bugs, or enhance its structure. Such frequent changes impact occasionally the security of the software. This paper reports a qualitative study of the practices of changing secure-software in the industry. The study involves interviews with eleven developers and security experts working on banking software, software for control systems, and software consultation companies. Through these interviews, we identified that the main security aspects are: dependency vulnerabilities, authentication and authorization, and OWASP 10 vulnerabilities. The common techniques used to assess software after code change are: code review, code analysis, testing, and keywords search. The main challenges that practitioners face are the diversity of the security issues and the lack of effectiveness of the security assurance tools in detecting vulnerabilities. The study suggests that developers of secure software need techniques that support effective security assurance of modified software. CCS CONCEPTS • Security and privacy → Software security engineering;

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Impact Of the Studymentioning

confidence: 99%

The current practices of changing secure software

Jamil

Othmane

Valani

et al. 2020

Proceedings of the 35th Annual ACM Symposium on Applied Computing

View full text Add to dashboard Cite

show abstract

“…al. analyzed the security vulnerabilities that could be discovered by code review, identified the characteristics of vulnerable code, and the developers that wrote it [18]. They found that the common types of identified vulnerabilities are buffer overflow and cross-site scripting.…”

Section: Related Workmentioning

confidence: 99%

Identification of the Impacts of Code Changes on the Security of Software

Othmane

Jamil

Abdelkhalek

2019

2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)

View full text Add to dashboard Cite

Companies develop their software in versions and iterations. Ensuring the security of each additional version using code review is costly and time consuming. This paper investigates automated tracing of the impacts of code changes on the security of a given software. To this end, we use call graphs to model the software code, and security assurance cases to model the security requirements of the software. Then we relate assurance case elements to code through the entry point methods of the software, creating a map of monitored security functions. This mapping allows to evaluate the security requirements that are affected by code changes. The approach is implemented in a set of tools and evaluated using three open-source ERP/E-commerce software applications. The limited evaluation showed that the approach is effective in identifying the impacts of code changes on the security of the software. The approach promises to considerably reduce the security assessment time of the subsequent releases and iterations of software, keeping the initial security state throughout the software lifetime.

show abstract

“…Additionally, our focus is specific to the Android system for which there is scarce work in the literature of vulnerability prediction. Perhaps the most relevant work to ours is by Bosu et al [34] who studied the characteristics of vulnerable code changes. However, our study differs from it in the following three ways: a) we study changes that fix a vulnerability rather than ones that introduce it, b) we study known, severe and exploitable vulnerabilities rather than those found by code reviews and c) we aim at categorizing and describing the origin of the Android vulnerabilities and not generic changes that might indicate the introduction of one.…”

Section: Related Workmentioning

confidence: 99%

Profiling Android Vulnerabilities

Jiménez

Papadakis

Bissyandé

et al. 2016

2016 IEEE International Conference on Software Quality, Reliability and Security (QRS)

View full text Add to dashboard Cite

Abstract-In widely used mobile operating systems a single vulnerability can threaten the security and privacy of billions of users. Therefore, identifying vulnerabilities and fortifying software systems requires constant attention and effort. However, this is costly and it is almost impossible to analyse an entire code base. Thus, it is necessary to prioritize efforts towards the most likely vulnerable areas. A first step in identifying these areas is to profile vulnerabilities based on previously reported ones. To investigate this, we performed a manual analysis of Android vulnerabilities, as reported in the National Vulnerability Database for the period 2008 to 2014. In our analysis, we identified a comprehensive list of issues leading to Android vulnerabilities. We also point out characteristics of the locations where vulnerabilities reside, the complexity of these locations and the complexity to fix the vulnerabilities. To enable future research, we make available all of our data.

show abstract

Identifying the characteristics of vulnerable code changes: an empirical study

Cited by 98 publications

References 43 publications

The current practices of changing secure software

The current practices of changing secure software

Identification of the Impacts of Code Changes on the Security of Software

Profiling Android Vulnerabilities

Contact Info

Product

Resources

About