Why Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project

Paul, Rajshakhar; Turzo, Asif Kamal; Bosu, Amiangshu

doi:10.1109/icse43902.2021.00124

Cited by 26 publications

(16 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…During the code review process, reviewers may follow the security code review practice (Howard 2006) to detect various potential security issues in the code. Prior studies have investigated the well-known security issues such as overflow, cross-site scripting, SQL injection, and cross-site request forgery that can be identified during the code review process (Paul et al 2021b;Bosu et al 2014;Bosu and Carver 2013;Edmundson et al 2013;Alfadel et al 2023;Di Biase et al 2016). Edmundson et al (2013) conducted a controlled study by asking developers to identify the injected vulnerable code in a web application called Anchor CMS.…”

Section: Code Review For Software Securitymentioning

confidence: 99%

See 1 more Smart Citation

Toward effective secure code reviews: an empirical study of security-related coding weaknesses

Charoenwet,

Thongtanunam,

Pham

et al. 2024

Empir Software Eng

View full text Add to dashboard Cite

Identifying security issues early is encouraged to reduce the latent negative impacts on the software systems. Code review is a widely-used method that allows developers to manually inspect modified code, catching security issues during a software development cycle. However, existing code review studies often focus on known vulnerabilities, neglecting coding weaknesses, which can introduce real-world security issues that are more visible through code review. The practices of code reviews in identifying such coding weaknesses are not yet fully investigated. To better understand this, we conducted an empirical case study in two large open-source projects, OpenSSL and PHP. Based on 135,560 code review comments, we found that reviewers raised security concerns in 35 out of 40 coding weakness categories. Surprisingly, some coding weaknesses related to past vulnerabilities, such as memory errors and resource management, were discussed less often than the vulnerabilities. Developers attempted to address raised security concerns in many cases (39%-41%), but a substantial portion was merely acknowledged (30%-36%), and some went unfixed due to disagreements about solutions (18%-20%). This highlights that coding weaknesses can slip through code review even when identified. Our findings suggest that reviewers can identify various coding weaknesses leading to security issues during code reviews. However, these results also reveal shortcomings in current code review practices, indicating the need for more effective mechanisms or support for increasing awareness of security issue management in code reviews.

show abstract

Section: Code Review For Software Securitymentioning

confidence: 99%

“…Several studies have investigated the benefits of code reviews in identifying security issues (Alfadel et al 2023;Bosu et al 2014;Di Biase et al 2016;Edmundson et al 2013;Paul et al 2021b). Still, the security issues studied by previous works were typically bounded by the types of well-known vulnerabilities such as SQL Injection and XSS.…”

Section: Introductionmentioning

confidence: 99%

Toward effective secure code reviews: an empirical study of security-related coding weaknesses

Charoenwet,

Thongtanunam,

Pham

et al. 2024

Empir Software Eng

View full text Add to dashboard Cite

show abstract

“…However, the results showed that prompting for finding security issues in code reviews significantly affects developers' identification of security issues. A study found the relevant factors in successful identification of security issues in code reviews [197]. The results indicate that the probability of security issues identification decreases with the increase in review factors such as number of reviewer's prior reviews, and number of review comments authored on a file during the current review cycle.…”

Section: Mcr Themes and Contributionsmentioning

confidence: 99%

Modern Code Reviews—Survey of Literature and Practice

Badampudi

Unterkalmsteiner

Britto

2023

ACM Trans. Softw. Eng. Methodol.

View full text Add to dashboard Cite

Background: Modern Code Review (MCR) is a lightweight alternative to traditional code inspections. While secondary studies on MCR exist; it is unknown whether the research community has targeted themes that practitioners consider important. Objectives: The objectives are to provide an overview of MCR research, analyze the practitioners’ opinions on the importance of MCR research, investigate the alignment between research and practice, and propose future MCR research avenues. Method: We conducted a systematic mapping study to survey state-of-the-art until and including 2021, employed the Q-Methodology to analyze the practitioners’ perception of the relevance of MCR research, and analyzed the primary studies’ research impact. Results: We analyzed 244 primary studies, resulting in five themes. As a result of the 1300 survey data points, we found that the respondents are positive about research investigating the impact of MCR on product quality and MCR process properties. In contrast, they are negative about human factor- and support systems-related research. Conclusion: These results indicate a misalignment between the state-of-the-art and the themes deemed important by most survey respondents. Researchers should focus on solutions that can improve the state of MCR practice. We provide an MCR research agenda, which can potentially increase the impact of MCR research.

show abstract

“…CWE provides a hierarchical classification scheme for vulnerabilities [42]. To reduce the dimensionality of our analysis, we combined similar CWE categories into higher-level categories using the hierarchical structure of CWE [49].…”

Section: Data Collectionmentioning

confidence: 99%

Noisy Label Learning for Security Defects

Croft¹,

Babar²,

Chen³

2022

Preprint

View full text Add to dashboard Cite

Data-driven software engineering processes, such as vulnerability prediction heavily rely on the quality of the data used. In this paper, we observe that it is infeasible to obtain a noise-free security defect dataset in practice. Despite the vulnerable class, the non-vulnerable modules are difficult to be verified and determined as truly exploit free given the limited manual efforts available. It results in uncertainty, introduces labeling noise in the datasets and affects conclusion validity. To address this issue, we propose novel learning methods that are robust to label impurities and can leverage the most from limited label data; noisy label learning. We investigate various noisy label learning methods applied to software vulnerability prediction. Specifically, we propose a two-stage learning method based on noise cleaning to identify and remediate the noisy samples, which improves AUC and recall of baselines by up to 8.9% and 23.4%, respectively. Moreover, we discuss several hurdles in terms of achieving a performance upper bound with semi-omniscient knowledge of the label noise. Overall, the experimental results show that learning from noisy labels can be effective for data-driven software and security analytics.

show abstract

Why Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project

Cited by 26 publications

References 50 publications

Toward effective secure code reviews: an empirical study of security-related coding weaknesses

Toward effective secure code reviews: an empirical study of security-related coding weaknesses

Modern Code Reviews—Survey of Literature and Practice

Noisy Label Learning for Security Defects

Contact Info

Product

Resources

About