What Can Self-Admitted Technical Debt Tell Us About Security? A Mixed-Methods Study
Authors: 
Nicolás E. Díaz Ferreyra, 
Mojtaba Shahin, 
Mansooreh Zahedi, Sodiq Quadri, Riccardo ScandariatoAuthors Info & Claims
Pages 704 - 715
Abstract
Self-Admitted Technical Debt (SATD) encompasses a wide array of sub-optimal design and implementation choices reported in software artefacts (e.g., code comments and commit messages) by developers themselves. Such reports have been central to the study of software maintenance and evolution over the last decades. However, they can also be deemed as dreadful sources of information on potentially exploitable vulnerabilities and security flaws. Objective: This work investigates the security implications of SATD from a technical and developer-centred perspective. On the one hand, it analyses whether security pointers disclosed inside SATD sources can be used to characterise vulnerabilities in Open-Source Software (OSS) projects and repositories. On the other hand, it delves into developers' perspectives regarding the motivations behind this practice, its prevalence, and its potential negative consequences. Method: We followed a mixed-methods approach consisting of (i) the analysis of a preexisting dataset containing 8,812 SATD instances and (ii) an online survey with 222 OSS practitioners. Results: We gathered 201 SATD instances through the dataset analysis and mapped them to different Common Weakness Enumeration (CWE) identifiers. Overall, 25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections, from which 8 appear among MITRE's Top-25 most dangerous ones. The survey shows that software practitioners often place security pointers across SATD artefacts to promote a security culture among their peers and help them spot flaky code sections, among other motives. However, they also consider such a practice risky as it may facilitate vulnerability exploits. Implications: Our findings suggest that preserving the contextual integrity of security pointers disseminated across SATD artefacts is critical to safeguard both commercial and OSS solutions against zero-day attacks.
References
[1]
Joshua Aldrich Edbert, Sahrima Jannat Oishwee, Shubhashis Karmakar, Zadia Codabux, and Roberto Verdecchia. 2023. Exploring Technical Debt in Security Questions on Stack Overflow. In Proceedings of the 76th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM '23). ACM.
[2]
Hala Assal and Sonia Chiasson. 2019. 'Think secure from the beginning' A Survey with Software Developers. In Proceedings of the 2019 CHI conference on human factors in computing systems. 1--13.
[3]
Gabriele Bavota and Barbara Russo. 2016. A large-scale empirical study on self-admitted technical debt. In Proceedings of the 13th International Conference on Mining Software Repositories (Austin, Texas) (MSR '16). ACM, 315--326.
[4]
Felivel Camilo, Andrew Meneely, and Meiyappan Nagappan. 2015. Do bugs foreshadow vulnerabilities? a study of the chromium project. In 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories. IEEE, 269--279.
[5]
John L Campbell, Charles Quincy, Jordan Osserman, and Ove K Pedersen. 2013. Coding in-depth semistructured interviews: Problems of unitization and inter-coder reliability and agreement. Sociological methods & research 42, 3 (2013), 294--320.
[6]
Roland Croft, Yongzheng Xie, Mansooreh Zahedi, M Ali Babar, and Christoph Treude. 2022. An empirical study of developers' discussions about security challenges of different programming languages. Empirical Software Engineering 27 (2022), 1--52.
[7]
Everton da Silva Maldonado, Emad Shihab, and Nikolaos Tsantalis. 2017. Using natural language processing to automatically detect self-admitted technical debt. IEEE Transactions on Software Engineering 43, 11 (2017), 1044--1062.
[8]
Mário André de Freitas Farias, Manoel Gomes de Mendonça Neto, Marcos Kalinowski, and Rodrigo Oliveira Spínola. 2020. Identifying self-admitted technical debt through code comment analysis with a contextualized vocabulary. Information and Software Technology 121 (2020), 106270.
[9]
Nicolás E. Díaz Ferreyra, Abdessamad Imine, Melina Vidoni, and Riccardo Scandariato. 2023. Developers Need Protection, Too: Perspectives and Research Challenges for Privacy in Social Coding Platforms. In 16th International Conference on Cooperative and Human Aspects of Software Engineering (CHASE 2023).
[10]
GitGuardian. 2022. The State of Secrets Sprawl 2022. https://res.cloudinary.com/da8kiytlc/image/upload/v1646148528/GitGuardian_StateOfSecretsSprawl2022.pdf Accessed: 25.10.2023.
[11]
Yuepu Guo, Rodrigo Oliveira Spínola, and Carolyn Seaman. 2016. Exploring the costs of technical debt management-a case study. Empirical Software Engineering 21 (2016), 159--182.
[12]
Qiao Huang, Emad Shihab, Xin Xia, David Lo, and Shanping Li. 2018. Identifying self-admitted technical debt in open source projects using text mining. Empirical Software Engineering 23 (2018), 418--451.
[13]
ISO/IEC 29147:2018 2018. Security Techniques - Vulnerability Disclosure. Standard. International Organization for Standardization, Geneva, CH.
[14]
Clemente Izurieta and Mary Prouty. 2019. Leveraging SecDevOps to Tackle the Technical Debt Associated with Cybersecurity Attack Tactics. In 2019 IEEE/ACM International Conference on Technical Debt (TechDebt). 33--37.
[15]
Clemente Izurieta, David Rice, Kali Kimball, and Tessa Valentien. 2018. A Position Study to Investigate Technical Debt Associated with Security Weaknesses. In Proceedings of the 2018 International Conference on Technical Debt (Gothenburg, Sweden) (TechDebt '18). Association for Computing Machinery, New York, NY, USA, 138--142.
[16]
Yutaro Kashiwa, Ryoma Nishikawa, Yasutaka Kamei, Masanari Kondo, Emad Shihab, Ryosuke Sato, and Naoyasu Ubayashi. 2022. An empirical study on self-admitted technical debt in modern code review. Information and Software Technology 146 (2022), 106855.
[17]
Harjot Kaur, Sabrina Amft, Daniel Votipka, Yasemin Acar, and Sascha Fahl. 2022. Where to recruit for security development studies: Comparing six software developer samples. In 31st USENIX Security Symposium (USENIX Security 22). 4041--4058.
[18]
Alexander Krause, Jan H Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, and Sascha Fahl. 2023. Pushed by Accident: A {Mixed-Methods} Study on Strategies of Handling Secret Information in Source Code Repositories. In 32nd USENIX Security Symposium (USENIX Security 23). 2527--2544.
[19]
Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. 2023. Sok: Taxonomy of attacks on open-source software supply chains. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1509--1526.
[20]
J. Richard Landis and Gary G. Koch. 1977. The measurement of observer agreement for categorical data. biometrics (1977), 159--174.
[21]
Triet Huynh Minh Le, David Hin, Roland Croft, and M Ali Babar. 2020. Puminer: Mining security posts from developer question and answer websites with pu learning. In Proceedings of the 17th International Conference on Mining Software Repositories. 350--361.
[22]
Yikun Li, Mohamed Soliman, and Paris Avgeriou. 2022. Identifying self-admitted technical debt in issue tracking systems using machine learning. Empirical Software Engineering 27, 6 (2022), 131.
[23]
Yikun Li, Mohamed Soliman, and Paris Avgeriou. 2023. Automatic identification of self-admitted technical debt from four different sources. Empirical Software Engineering 28, 3 (2023), 1--38.
[24]
Sofiane Lounici, Marco Rosa, Carlo Maria Negri, Slim Trabelsi, and Melek Önen. 2021. Optimizing Leak Detection in Open-source Platforms with Machine Learning Techniques. In ICISSP. 145--159.
[25]
Everton da S. Maldonado and Emad Shihab. 2015. Detecting and quantifying different types of self-admitted technical Debt. In 2015 IEEE 7th International Workshop on Managing Technical Debt (MTD). 9--15.
[26]
Jabier Martinez, Nuria Quintano, Alejandra Ruiz, Izaskun Santamaria, Iker Martinez de Soria, and José Arias. 2021. Security Debt: Characteristics, Product Life-Cycle Integration and Items. In 2021 IEEE/ACM International Conference on Technical Debt (TechDebt). 1--5.
[27]
Mahmood Niazi, Ashraf Mohammed Saeed, Mohammad Alshayeb, Sajjad Mahmood, and Saad Zafar. 2020. A maturity model for secure requirements engineering. Computers & Security 95 (2020), 101852.
[28]
Shengyi Pan, Jiayuan Zhou, Filipe Roseiro Cogo, Xin Xia, Lingfeng Bao, Xing Hu, Shanping Li, and Ahmed E. Hassan. 2022. Automated Unearthing of Dangerous Issue Reports. In Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ACM, New York, NY, USA, 834--846.
[29]
Irum Rauf, Tamara Lopez, Helen Sharp, Marian Petre, Thein Tun, Mark Levine, John Towse, Dirk van der Linden, Awais Rashid, and Bashar Nuseibeh. 2022. Influences of developers' perspectives on their engagement with security in code. In Proceedings of the 15th International Conference on Cooperative and Human Aspects of Software Engineering. 86--95.
[30]
Kalle Rindell, Karin Bernsmed, and Martin Gilje Jaatun. 2019. Managing security in software: Or: How I learned to stop worrying and manage the security technical debt. In Proceedings of the 14th International Conference on Availability, Reliability and Security. 1--8.
[31]
Kalle Rindell and Johannes Holvitie. 2019. Security Risk Assessment and Management as Technical Debt. In 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). 1--8.
[32]
Barbara Russo, Matteo Camilli, and Moritz Mock. 2022. WeakSATD: Detecting Weak Self-Admitted Technical Debt. In Proceedings of the 19th International Conference on Mining Software Repositories (Pittsburgh, Pennsylvania) (MSR '22). Association for Computing Machinery, New York, NY, USA, 448--453.
[33]
Rafael Meneses Santos, Israel Meneses Santos, Methanias Colaço Rodrigues Júnior, and Manoel Gomes de Mendonça Neto. 2020. Long Term-short Memory Neural Networks and Word2vec for Self-admitted Technical Debt Detection. In ICEIS (2). 157--165.
[34]
Rishab Sharma, Ramin Shahbazi, Fatemeh H Fard, Zadia Codabux, and Melina Vidoni. 2022. Self-admitted technical debt in R: detection and causes. Automated Software Engineering 29, 2 (2022), 53.
[35]
Yulia Shmerlin, Irit Hadar, Doron Kliger, and Hayim Makabee. 2015. To document or not to document? An exploratory study on developers' motivation to document code. In Advanced Information Systems Engineering Workshops. Springer, 100--106.
[36]
Miltiadis Siavvas, Dimitrios Tsoukalas, Marija Jankovic, Dionysios Kehagias, Alexander Chatzigeorgiou, Dimitrios Tzovaras, Nenad Anicic, and Erol Gelenbe. 2019. An empirical evaluation of the relationship between technical debt and software security. In 9th International Conference on Information society and technology (ICIST), Vol. 2019.
[37]
Miltiadis Siavvas, Dimitrios Tsoukalas, Marija Jankovic, Dionysios Kehagias, and Dimitrios Tzovaras. 2022. Technical debt as an indicator of software security risk: a machine learning approach for software development enterprises. Enterprise Information Systems 16, 5 (2022), 1824017.
[38]
Giancarlo Sierra, Emad Shihab, and Yasutaka Kamei. 2019. A survey of self-admitted technical debt. Journal of Systems and Software 152 (2019), 70--82.
[39]
Mohammad Tahaei and Kami Vaniea. 2022. Recruiting participants with programming skills: A comparison of four crowdsourcing platforms and a CS student mailing list. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems. 1--15.
[40]
Melina Vidoni. 2021. Self-admitted technical debt in r packages: An exploratory study. In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). IEEE, 179--189.
[41]
Laerte Xavier, João Eduardo Montandon, Fabio Ferreira, Rodrigo Brito, and Marco Tulio Valente. 2022. On the documentation of self-admitted technical debt in issues. Empirical Software Engineering 27, 7 (2022), 163.
[42]
Fiorella Zampetti, Gianmarco Fucci, Alexander Serebrenik, and Massimiliano Di Penta. 2021. Self-admitted technical debt practices: a comparison between industry and open-source. Empirical Software Engineering 26 (2021), 1--32.
Index Terms
- What Can Self-Admitted Technical Debt Tell Us About Security? A Mixed-Methods Study
Recommendations
Towards automating self-admitted technical debt repayment
Abstract Context:Self-Admitted Technical Debt (SATD) refers to the technical debt in software that is explicitly flagged, typically by the source code comment. The SATD literature has mainly focused on comprehending, describing, detecting, and ...
Self-admitted technical debt practices: a comparison between industry and open-source
AbstractSelf-admitted technical debt (SATD) consists of annotations, left by developers as comments in the source code or elsewhere, as a reminder about pieces of software manifesting technical debt (TD), i.e., “not being ready yet”. While previous ...
Automatic identification of self-admitted technical debt from four different sources
AbstractTechnical debt refers to taking shortcuts to achieve short-term goals while sacrificing the long-term maintainability and evolvability of software systems. A large part of technical debt is explicitly reported by the developers themselves; this is ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2024
788 pages
ISBN:9798400705878
DOI:10.1145/3643991
- Chair:
- Diomidis Spinellis,
- Program Chair:
- Alberto Bacchelli,
- Program Co-chair:
- Eleni Constantinou
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 02 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
MSR '24
Sponsor:
MSR '24: 21st International Conference on Mining Software Repositories
April 15 - 16, 2024
Lisbon, Portugal
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 177Total Downloads
- Downloads (Last 12 months)177
- Downloads (Last 6 weeks)47
Reflects downloads up to 11 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in