Toward Effective Secure Code Reviews: An Empirical Study of Security-Related Coding Weaknesses
arxiv(2023)
摘要
Identifying security issues early is encouraged to reduce the latent negative
impacts on software systems. Code review is a widely-used method that allows
developers to manually inspect modified code, catching security issues during a
software development cycle. However, existing code review studies often focus
on known vulnerabilities, neglecting coding weaknesses, which can introduce
real-world security issues that are more visible through code review. The
practices of code reviews in identifying such coding weaknesses are not yet
fully investigated.
To better understand this, we conducted an empirical case study in two large
open-source projects, OpenSSL and PHP. Based on 135,560 code review comments,
we found that reviewers raised security concerns in 35 out of 40 coding
weakness categories. Surprisingly, some coding weaknesses related to past
vulnerabilities, such as memory errors and resource management, were discussed
less often than the vulnerabilities. Developers attempted to address raised
security concerns in many cases (39
acknowledged (30
solutions (18
code review even when identified. Our findings suggest that reviewers can
identify various coding weaknesses leading to security issues during code
reviews. However, these results also reveal shortcomings in current code review
practices, indicating the need for more effective mechanisms or support for
increasing awareness of security issue management in code reviews.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要