Toward effective secure code reviews: An empirical study of security-related coding weaknesses
Identifying security issues early is encouraged to reduce the latent negative impacts on software systems. Code review is a widely-used method that allows developers to manually inspect modified code, catching security issues during a software development cycle. However, existing code review studies...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2024
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/9173 https://ink.library.smu.edu.sg/context/sis_research/article/10178/viewcontent/ping__1_.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-10178 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-101782024-08-13T05:30:42Z Toward effective secure code reviews: An empirical study of security-related coding weaknesses CHAROENWET, Wachiraphan THONGTANUNAM, Patanamon PHAM, Thuan TREUDE, Christoph Identifying security issues early is encouraged to reduce the latent negative impacts on software systems. Code review is a widely-used method that allows developers to manually inspect modified code, catching security issues during a software development cycle. However, existing code review studies often focus on known vulnerabilities, neglecting coding weaknesses, which can introduce real-world security issues that are more visible through code review. The practices of code reviews in identifying such coding weaknesses are not yet fully investigated. To better understand this, we conducted an empirical case study in two large open-source projects, OpenSSL and PHP. Based on 135,560 code review comments, we found that reviewers raised security concerns in 35 out of 40 coding weakness categories. Surprisingly, some coding weaknesses related to past vulnerabilities, such as memory errors and resource management, were discussed less often than the vulnerabilities. Developers attempted to address raised security concerns in many cases (39%-41%), but a substantial portion was merely acknowledged (30%-36%), and some went unfixed due to disagreements about solutions (18%-20%). This highlights that coding weaknesses can slip through code review even when identified. Our findings suggest that reviewers can identify various coding weaknesses leading to security issues during code reviews. However, these results also reveal shortcomings in current code review practices, indicating the need for more effective mechanisms or support for increasing awareness of security issue management in code reviews. 2024-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9173 info:doi/10.1007/s10664-024-10496-y https://ink.library.smu.edu.sg/context/sis_research/article/10178/viewcontent/ping__1_.pdf http://creativecommons.org/licenses/by/3.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Secure Code Review Code Review Vulnerability Coding Weakness Software Weakness Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Secure Code Review Code Review Vulnerability Coding Weakness Software Weakness Software Engineering |
| spellingShingle |
Secure Code Review Code Review Vulnerability Coding Weakness Software Weakness Software Engineering CHAROENWET, Wachiraphan THONGTANUNAM, Patanamon PHAM, Thuan TREUDE, Christoph Toward effective secure code reviews: An empirical study of security-related coding weaknesses |
| description |
Identifying security issues early is encouraged to reduce the latent negative impacts on software systems. Code review is a widely-used method that allows developers to manually inspect modified code, catching security issues during a software development cycle. However, existing code review studies often focus on known vulnerabilities, neglecting coding weaknesses, which can introduce real-world security issues that are more visible through code review. The practices of code reviews in identifying such coding weaknesses are not yet fully investigated. To better understand this, we conducted an empirical case study in two large open-source projects, OpenSSL and PHP. Based on 135,560 code review comments, we found that reviewers raised security concerns in 35 out of 40 coding weakness categories. Surprisingly, some coding weaknesses related to past vulnerabilities, such as memory errors and resource management, were discussed less often than the vulnerabilities. Developers attempted to address raised security concerns in many cases (39%-41%), but a substantial portion was merely acknowledged (30%-36%), and some went unfixed due to disagreements about solutions (18%-20%). This highlights that coding weaknesses can slip through code review even when identified. Our findings suggest that reviewers can identify various coding weaknesses leading to security issues during code reviews. However, these results also reveal shortcomings in current code review practices, indicating the need for more effective mechanisms or support for increasing awareness of security issue management in code reviews. |
| format |
text |
| author |
CHAROENWET, Wachiraphan THONGTANUNAM, Patanamon PHAM, Thuan TREUDE, Christoph |
| author_facet |
CHAROENWET, Wachiraphan THONGTANUNAM, Patanamon PHAM, Thuan TREUDE, Christoph |
| author_sort |
CHAROENWET, Wachiraphan |
| title |
Toward effective secure code reviews: An empirical study of security-related coding weaknesses |
| title_short |
Toward effective secure code reviews: An empirical study of security-related coding weaknesses |
| title_full |
Toward effective secure code reviews: An empirical study of security-related coding weaknesses |
| title_fullStr |
Toward effective secure code reviews: An empirical study of security-related coding weaknesses |
| title_full_unstemmed |
Toward effective secure code reviews: An empirical study of security-related coding weaknesses |
| title_sort |
toward effective secure code reviews: an empirical study of security-related coding weaknesses |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2024 |
| url |
https://ink.library.smu.edu.sg/sis_research/9173 https://ink.library.smu.edu.sg/context/sis_research/article/10178/viewcontent/ping__1_.pdf |
| _version_ |
1814047781581488128 |