Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

Peer code review has been found to be effective in identifying security vulnerabilities. However, despite practicing mandatory code reviews, many Open Source Software (OSS) projects still encounter a large number of post-release security vulnerabilities, as some security defects escape those. Therefore, a project manager may wonder if there was any weakness or inconsistency during a code review that missed a security vulnerability. Answers to this question may help a manager pinpointing areas of concern and taking measures to improve the effectiveness of his/her project’s code reviews in identifying security defects. Therefore, this study aims to identify the factors that differentiate code reviews that successfully identified security defects from those that missed such defects.

With this goal, we conduct a case-control study of Chromium OS project. Using multi-stage semi-automated approaches, we build a dataset of 516 code reviews that successfully identified security defects and 374 code reviews where security defects escaped. The results of our empirical study suggest that the are significant differences between the categories of security defects that are identified and that are missed during code reviews. A logistic regression model fitted on our dataset achieved an AUC score of 0.91 and has identified nine code review attributes that influence identifications of security defects. While time to complete a review, the number of mutual reviews between two developers, and if the review is for a bug fix have positive impacts on vulnerability identification, opposite effects are observed from the number of directories under review, the number of total reviews by a developer, and the total number of prior commits for the file under review.

Thu 27 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:30 - 17:30
3.4.2. Security Vulnerabilities: From 3rd Parties' CodeTechnical Track / SEIP - Software Engineering in Practice / Journal-First Papers at Blended Sessions Room 2 +12h
Chair(s): Jeff Carver University of Alabama
16:30
20m
Paper
An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code ExamplesJournal-First
Journal-First Papers
Morteza Verdi Shiraz University, Ashkan Sami Shiraz University, Jafar Akhondali Shiraz University, Foutse Khomh Polytechnique Montréal, Gias Uddin University of Calgary, Canada, Alireza Karami Motlagh Shiraz University
Link to publication DOI Pre-print Media Attached
16:50
20m
Paper
Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHubSEIP
SEIP - Software Engineering in Practice
Danielle Gonzalez Rochester Institute of Technology, Thomas Zimmermann Microsoft Research, Patrice Godefroid Microsoft Research, USA, Max Schaefer GitHub, Inc.
Pre-print Media Attached
17:10
20m
Paper
Why Security Defects Go Unnoticed during Code Reviews? A Case-Control Study of the Chromium OS ProjectArtifact ReusableTechnical TrackArtifact Available
Technical Track
Rajshakhar Paul Wayne State University, Asif Kamal Turzo Wayne State University, Amiangshu Bosu Wayne State University
Pre-print Media Attached

Fri 28 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

04:30 - 05:30
3.4.2. Security Vulnerabilities: From 3rd Parties' CodeTechnical Track / Journal-First Papers / SEIP - Software Engineering in Practice at Blended Sessions Room 2
04:30
20m
Paper
An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code ExamplesJournal-First
Journal-First Papers
Morteza Verdi Shiraz University, Ashkan Sami Shiraz University, Jafar Akhondali Shiraz University, Foutse Khomh Polytechnique Montréal, Gias Uddin University of Calgary, Canada, Alireza Karami Motlagh Shiraz University
Link to publication DOI Pre-print Media Attached
04:50
20m
Paper
Anomalicious: Automated Detection of Anomalous and Potentially Malicious Commits on GitHubSEIP
SEIP - Software Engineering in Practice
Danielle Gonzalez Rochester Institute of Technology, Thomas Zimmermann Microsoft Research, Patrice Godefroid Microsoft Research, USA, Max Schaefer GitHub, Inc.
Pre-print Media Attached
05:10
20m
Paper
Why Security Defects Go Unnoticed during Code Reviews? A Case-Control Study of the Chromium OS ProjectArtifact ReusableTechnical TrackArtifact Available
Technical Track
Rajshakhar Paul Wayne State University, Asif Kamal Turzo Wayne State University, Amiangshu Bosu Wayne State University
Pre-print Media Attached