More Web Proxy on the site http://driver.im/

Article

Characteristics of the vulnerable code changes identified through peer code review

Author:

Amiangshu BosuAuthors Info & Claims

ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software Engineering

Pages 736 - 738

https://doi.org/10.1145/2591062.2591200

Published: 31 May 2014 Publication History

Abstract

To effectively utilize the efforts of scarce security experts, this study aims to provide empirical evidence about the characteristics of security vulnerabilities. Using a three-stage, manual analysis of peer code review data from 10 popular Open Source Software (OSS) projects, this study identified 413 potentially vulnerable code changes (VCC). Some key results include: 1) the most experienced contributors authored the majority of the VCCs, 2) while less experienced authors wrote fewer VCCs, their code changes were 1.5 to 24 times more likely to be vulnerable, 3) employees of the organization sponsoring the OSS projects are more likely to write VCCs.

References

[1]

Gerrit code review tool. https://code.google.com/p/gerrit/. {Online; accessed 6-Sep-2013}.

[2]

A. Austin and L. Williams. One technique is not enough: A comparison of vulnerability discovery techniques. In Empirical Software Engineering and Measurement (ESEM), 2011 International Symposium on, pages 97–106. IEEE, 2011.

Digital Library

[3]

A. Bosu and J. C. Carver. Peer code review in open source communities using reviewboard. In Proeedings of the 4th ACM Wksp. on Evaluation and Usability of Programming Language and Tools, pages 17–24, New York, NY, USA, 2012. ACM.

Digital Library

[4]

A. Bosu and J. C. Carver. Peer code review to prevent security vulnerabilities: An empirical evaluation. In Software Security and Reliability-Companion (SERE-C), 2013 IEEE 7th International Conference on, pages 229–230, 2013.

Digital Library

[5]

T. Dyba, T. Dingsoyr, and G. K. Hanssen. Applying systematic reviews to diverse study types: An experience report. In First International Symposium on Empirical Software Engineering and Measurement, 2007. ESEM 2007., pages 225–234. IEEE, 2007.

Digital Library

[6]

I. Feinerer. Introduction to the tm package text mining in r. http://cran.r-project.org/web/packages/ tm/index.html, 2013.

[7]

M. Gegick, P. Rotella, and L. Williams. Toward non-security failures as a predictor of security faults and failures. In Engineering Secure Software and Systems, pages 135–149. Springer, 2009.

Digital Library

[8]

M. Gegick, L. Williams, J. Osborne, and M. Vouk. Prioritizing software security fortification through code-level metrics. In Proceedings of the 4th ACM workshop on Quality of protection, pages 31–38. ACM, 2008.

Digital Library

[9]

S. Lukins, N. Kraft, and L. Etzkorn. Source code retrieval for bug localization using latent dirichlet allocation. In 15th Working Conference on Reverse Engineering, 2008. WCRE ’08., pages 155–164, 2008.

Digital Library

[10]

G. McGraw. Software security: building security in, volume 1. Addison-Wesley Professional, 2006.

Digital Library

[11]

A. Meneely, H. Srinivasan, A. Musa, A. R. Tejeda, M. Mokary, and B. Spates. When a patch goes bad: Exploring the properties of vulnerability-contributing commits. page to appear, 2013.

[12]

A. Meneely and L. Williams. Secure open source collaboration: an empirical study of linus’ law. In Proceedings of the 16th ACM conference on Computer and communications security, pages 453–462. ACM, 2009.

Digital Library

[13]

Mitre Coroporation. Common weakness enumeration. http://cwe.mitre.org/. {Online; accessed 6-Sep-2013}.

[14]

M. Mukadam, C. Bird, and P. C. Rigby. Gerrit software code review data from android. In Proceedings of the Tenth International Workshop on Mining Software Repositories, pages 45–48. IEEE Press, 2013.

Digital Library

[15]

S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller. Predicting vulnerable software components. In Proceedings of the 14th ACM conference on Computer and communications security, pages 529–540. ACM, 2007.

Digital Library

[16]

OWASP. The open web application security project. https://www.owasp.org/index.php/ Category:Vulnerability, 2013. {Online; accessed 1-Sep-2013}.

[17]

Y. Shin, A. Meneely, L. Williams, and J. A. Osborne. Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. Software Engineering, IEEE Transactions on, 37(6):772–787, 2011.

Digital Library

[18]

Y. Shin and L. Williams. An empirical model to predict security vulnerabilities using code complexity metrics. In Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement, pages 315–317. ACM, 2008.

Digital Library

[19]

K. Tsipenyuk, B. Chess, and G. McGraw. Seven pernicious kingdoms: a taxonomy of software security errors. IEEE Security Privacy, 3(6):81 – 84, Nov.-Dec. 2005.

Digital Library

[20]

J. Walden, M. Doyle, G. A. Welch, and M. Whelan. Security of open source web applications. In Proceedings of the 2009 3rd international Symposium on Empirical Software Engineering and Measurement, pages 545–553. IEEE Computer Society, 2009.

Digital Library

Cited By

Rahman MRoy C(2023)A Systematic Review of Automated Query Reformulations in Source Code SearchACM Transactions on Software Engineering and Methodology10.1145/360717932:6(1-79)Online publication date: 4-Jul-2023
https://dl.acm.org/doi/10.1145/3607179
Alfadel MNagy NCosta DAbdalkareem RShihab E(2023)Empirical analysis of security-related code reviews in npm packagesJournal of Systems and Software10.1016/j.jss.2023.111752203:COnline publication date: 13-Jul-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111752
Sultana KBoyd CWilliams B(2023)A Software Vulnerability Prediction Model Using Traceable Code Patterns and Software MetricsSN Computer Science10.1007/s42979-023-02077-54:5Online publication date: 9-Aug-2023
https://doi.org/10.1007/s42979-023-02077-5
Show More Cited By

Index Terms

Characteristics of the vulnerable code changes identified through peer code review
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Software management

Recommendations

Improving the effectiveness of peer code review in identifying security defects
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Prior studies found peer code review useful in identifying security defects. That is why most of the commercial and open-source software (OSS) projects embraced peer code review and mandated the use of it in the software development life cycle. However, ...
Identifying the characteristics of vulnerable code changes: an empirical study
FSE 2014: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering

To focus the efforts of security experts, the goals of this empirical study are to analyze which security vulnerabilities can be discovered by code review, identify characteristics of vulnerable code changes, and identify characteristics of developers ...
An empirical investigation of socio-technical code review metrics and security vulnerabilities
SSE 2014: Proceedings of the 6th International Workshop on Social Software Engineering

One of the guiding principles of open source software development is to use crowds of developers to keep a watchful eye on source code. Eric Raymond declared Linus'' Law as "many eyes make all bugs shallow", with the socio-technical argument that high ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software Engineering

May 2014

741 pages

ISBN:9781450327688

DOI:10.1145/2591062

General Chair:
Pankaj Jalote
IIIT-Delhi, India
,
Program Chairs:
Lionel Briand
University of Luxembourg, Luxembourg
,
André van der Hoek
University of California, Irvine, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

TCSE: IEEE Computer Society's Tech. Council on Software Engin.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 May 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ICSE '14

Sponsor:

SIGSOFT

ICSE '14: 36th International Conference on Software Engineering

May 31 - June 7, 2014

Hyderabad, India

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
332
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)3

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rahman MRoy C(2023)A Systematic Review of Automated Query Reformulations in Source Code SearchACM Transactions on Software Engineering and Methodology10.1145/360717932:6(1-79)Online publication date: 4-Jul-2023
https://dl.acm.org/doi/10.1145/3607179
Alfadel MNagy NCosta DAbdalkareem RShihab E(2023)Empirical analysis of security-related code reviews in npm packagesJournal of Systems and Software10.1016/j.jss.2023.111752203:COnline publication date: 13-Jul-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111752
Sultana KBoyd CWilliams B(2023)A Software Vulnerability Prediction Model Using Traceable Code Patterns and Software MetricsSN Computer Science10.1007/s42979-023-02077-54:5Online publication date: 9-Aug-2023
https://doi.org/10.1007/s42979-023-02077-5
Abadeh MMirzaie M(2023)An empirical analysis for software robustness vulnerability in terms of modularity qualitySystems Engineering10.1002/sys.2168626:6(754-769)Online publication date: 18-Apr-2023
https://doi.org/10.1002/sys.21686
Tufano RPascarella LTufano MPoshyvanyk DBavota G(2021)Towards Automating Code Review ActivitiesProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00027(163-174)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00027
Zampetti FMudbhari SArnaoudova VDi Penta MPanichella SAntoniol G(2021)Using code reviews to automatically configure static analysis toolsEmpirical Software Engineering10.1007/s10664-021-10076-427:1Online publication date: 11-Dec-2021
https://doi.org/10.1007/s10664-021-10076-4
Jamil AOthmane LValani AAbdelkhalek MTek AHung CCerny TShin DBechini A(2020)The current practices of changing secure softwareProceedings of the 35th Annual ACM Symposium on Applied Computing10.1145/3341105.3373922(1566-1575)Online publication date: 29-Mar-2020
https://doi.org/10.1145/3341105.3373922
Piantadosi VScalabrino SOliveto R(2019)Fixing of Security Vulnerabilities in Open Source Projects: A Case Study of Apache HTTP Server and Apache Tomcat2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST)10.1109/ICST.2019.00017(68-78)Online publication date: Apr-2019
https://doi.org/10.1109/ICST.2019.00017
Wen S(2017)Software Security in Open Source Development: A Systematic Literature ReviewProceedings of the 21st Conference of Open Innovations Association FRUCT10.23919/FRUCT.2017.8250205(364-373)Online publication date: 13-Nov-2017
https://dl.acm.org/doi/10.23919/FRUCT.2017.8250205
Stuckman JWalden JScandariato R(2017)The Effect of Dimensionality Reduction on Software Vulnerability Prediction ModelsIEEE Transactions on Reliability10.1109/TR.2016.263050366:1(17-37)Online publication date: Mar-2017
https://doi.org/10.1109/TR.2016.2630503
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents