163 lines
7.4 KiB
Markdown
163 lines
7.4 KiB
Markdown
file:: [msr2024-technical-paper100-SATD_1702046660022_0.pdf](../assets/msr2024-technical-paper100-SATD_1702046660022_0.pdf)
|
||
file-path:: ../assets/msr2024-technical-paper100-SATD_1702046660022_0.pdf
|
||
|
||
- This work investigates the security implications of SATD from a technical and developer-centred perspective.
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: green
|
||
id:: 657b0337-6189-4b88-828a-a4e41e886c07
|
||
- it analyses whether security pointers disclosed inside SATD sources can be used to characterise vulnerabilities in Open-Source Software (OSS) projects and repositories
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: purple
|
||
id:: 657b034a-6da8-4c4e-9589-da4b20a0d5bc
|
||
- it delves into developers’ perspectives regarding the motivations behind this practice, its prevalence, and its potential negative consequences
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: purple
|
||
id:: 657b035f-880e-400d-b6bc-52cfc54836df
|
||
- analysis of a preexisting dataset containing 94,455 SATD instances
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: green
|
||
id:: 657b037c-e116-4902-af66-9151ee9ac98e
|
||
- online survey with 222 OSS practitioners
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: green
|
||
id:: 657b0383-b5ac-4672-a89d-3fa8c3dcdf15
|
||
- We gathered 201 SATD instances through the dataset analysis and mapped them to different Common Weakness Enumeration(CWE) identifiers.
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: blue
|
||
id:: 657b03d6-fc1a-4889-9316-a0048d186dcf
|
||
- 25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections, from which 8 appear among MITRE’s Top-25 most dangerous ones
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: blue
|
||
id:: 657b03f5-da8f-43b9-b6f9-f9dd4ac56d3a
|
||
- The survey shows that software practitioners often place security pointers across SATD artefacts to promote a security culture among their peers and help them spot flaky code sections, among other motives.
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: yellow
|
||
id:: 657b0418-e290-4295-b8ea-881eb58074ad
|
||
- Our findings suggest that preserving the contextual integrity of security pointers disseminated across SATD artefacts is critical to safeguard both commercial and OSS solutions against zero-day attacks.
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: yellow
|
||
id:: 657b046c-1931-43c5-a9bc-86d76e4e5c78
|
||
- circumvent with spurious design workarounds and sub-optimal implementations
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: green
|
||
id:: 657dc10b-c38b-4a52-b157-494912c8d7c5
|
||
- low-quality artefacts that can impair the future maintenance and evolution of the system being developed
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: green
|
||
id:: 657dc119-1283-4d18-a8eb-7ef4e1eaaa4b
|
||
- TD can incur extra work in the longterm, not to mention additional costs.
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: green
|
||
id:: 657dc13b-c9f7-4126-b876-5ad92d0bbc4f
|
||
- it is deemed a critical issue for software development and considered ubiquitous to most software projects across all industry segments
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: purple
|
||
id:: 657dc145-ed1e-4fea-b3d7-f08c4c30fe94
|
||
- security incurs extra costs as it is frequently seen as an “after-thought” instead of an actual priority in the software development life cycle
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: green
|
||
id:: 657dc170-7bea-4bff-bae2-a4de42595c02
|
||
- intersection between TD and security
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: blue
|
||
id:: 657dc187-f390-45fe-986f-312a1ccc2ab6
|
||
- significant part of TD is explicitly reported by developers themselves in the form of “self-admissions”, namely through software artefacts such as code comments
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: blue
|
||
id:: 657dc1ad-caf0-4cff-8619-2ae58d6fbd8a
|
||
- Particularly, an attacker could take advantage of security pointers disclosed inside these sources (e.g., a code comment like “TODO: Make it thread-safe”) to spot exploitable weaknesses in the system threatening its availability, confidentiality and integrity.
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: purple
|
||
id:: 657dc1e2-9695-46ff-b97d-1149ee389da5
|
||
- the security implications of SATD have not been investigated nor documented throughout the literature up to our knowledge
|
||
ls-type:: annotation
|
||
hl-page:: 1
|
||
hl-color:: blue
|
||
id:: 657dc427-af89-4c6b-bce5-4cb9d1a4c390
|
||
- implications of security pointers inside SATD instances across multiple sources
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: purple
|
||
id:: 657dc6fb-e377-4918-99cb-750ab2872eaa
|
||
- whether explicit references to security vulnerabilities inside code comments, commits, issue reports, and pull requests can help characterise exploitable weaknesses inside Open-Source Software (OSS
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: blue
|
||
id:: 657dc710-9843-4cbd-ac68-61370542bd06
|
||
- OSS projects and repositories as they become easy targets of security attacks by making their artefacts visible and available to the public in general
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: green
|
||
id:: 657dc74f-1a59-490f-89d9-dd3bd5143987
|
||
- RQ1: Can SATD sources contain pointers to security weaknesses and vulnerabilities inside OSS repositories?
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: blue
|
||
id:: 657dc794-12d3-4c51-91b8-77e5a5ef87d4
|
||
- 546 security-relevant SATD candidates and inspected them manually for security pointers
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: green
|
||
id:: 657dc7a1-e7f0-4bcc-af73-58094e6608af
|
||
- 201 Security Self-Admitted Technical Debt (SSATD) observations that we considered for further analysis
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: yellow
|
||
id:: 657dc7ac-5da8-4f6f-b13d-53927c27ef57
|
||
- RQ2: Which particular weakness and vulnerabilities are frequently exposed through different SATD sources?
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: blue
|
||
id:: 657dc7d0-92a6-4e6b-af25-a2a30bff0079
|
||
- 25 different CWE types across commit messages, code comments, pull requests, and issue reports. Moreover, 8 of these 25 CWEs appear listed among MITRE’s Top-25 most dangerous software weaknesses in 2023.
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: green
|
||
id:: 657dc806-5f06-4633-a890-e5639a826fa5
|
||
- RQ3: What is developers’ perspective on security-related SATD in OSS repositories?
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: blue
|
||
id:: 657dc80c-3168-4d1e-a104-2ae61b0ce9b4
|
||
- many practitioners engage with this practice, although they recognise it as potentially risky.
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: green
|
||
id:: 657dc827-0c7e-4b4b-8852-afdd509477af
|
||
- a few publications in the current literature explore the interface between software security and TD
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: green
|
||
id:: 657dc8b7-d222-40d5-8d66-705aaaccff4b
|
||
- they suggest that tools/methods such as code reviews and threat modelling are suitable to spot internal quality issues in software requirements, coding, architecture, and testing
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: green
|
||
id:: 657dc8ed-8198-455d-b95c-6e3f183b7401
|
||
- They conclude that TD pointers can help improve the performance of Machine Learning (ML) models for vulnerability prediction.
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: green
|
||
id:: 657dca95-443e-4a10-8e43-8bca892cb0ba
|
||
- more than 55% of self-admissions in the form of code comments correspond to insecure implementations/snippets
|
||
ls-type:: annotation
|
||
hl-page:: 2
|
||
hl-color:: blue
|
||
id:: 657dcabf-d2aa-4545-b8ea-0ce2982bda30 |