Files
logseq/pages/hls__msr2024-technical-paper100-SATD_1702046660022_0.md
T
2025-06-05 22:07:12 +02:00

163 lines
7.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
file:: [msr2024-technical-paper100-SATD_1702046660022_0.pdf](../assets/msr2024-technical-paper100-SATD_1702046660022_0.pdf)
file-path:: ../assets/msr2024-technical-paper100-SATD_1702046660022_0.pdf
- This work investigates the security implications of SATD from a technical and developer-centred perspective.
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 657b0337-6189-4b88-828a-a4e41e886c07
- it analyses whether security pointers disclosed inside SATD sources can be used to characterise vulnerabilities in Open-Source Software (OSS) projects and repositories
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 657b034a-6da8-4c4e-9589-da4b20a0d5bc
- it delves into developers perspectives regarding the motivations behind this practice, its prevalence, and its potential negative consequences
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 657b035f-880e-400d-b6bc-52cfc54836df
- analysis of a preexisting dataset containing 94,455 SATD instances
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 657b037c-e116-4902-af66-9151ee9ac98e
- online survey with 222 OSS practitioners
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 657b0383-b5ac-4672-a89d-3fa8c3dcdf15
- We gathered 201 SATD instances through the dataset analysis and mapped them to different Common Weakness Enumeration(CWE) identifiers.
ls-type:: annotation
hl-page:: 1
hl-color:: blue
id:: 657b03d6-fc1a-4889-9316-a0048d186dcf
- 25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections, from which 8 appear among MITREs Top-25 most dangerous ones
ls-type:: annotation
hl-page:: 1
hl-color:: blue
id:: 657b03f5-da8f-43b9-b6f9-f9dd4ac56d3a
- The survey shows that software practitioners often place security pointers across SATD artefacts to promote a security culture among their peers and help them spot flaky code sections, among other motives.
ls-type:: annotation
hl-page:: 1
hl-color:: yellow
id:: 657b0418-e290-4295-b8ea-881eb58074ad
- Our findings suggest that preserving the contextual integrity of security pointers disseminated across SATD artefacts is critical to safeguard both commercial and OSS solutions against zero-day attacks.
ls-type:: annotation
hl-page:: 1
hl-color:: yellow
id:: 657b046c-1931-43c5-a9bc-86d76e4e5c78
- circumvent with spurious design workarounds and sub-optimal implementations
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 657dc10b-c38b-4a52-b157-494912c8d7c5
- low-quality artefacts that can impair the future maintenance and evolution of the system being developed
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 657dc119-1283-4d18-a8eb-7ef4e1eaaa4b
- TD can incur extra work in the longterm, not to mention additional costs.
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 657dc13b-c9f7-4126-b876-5ad92d0bbc4f
- it is deemed a critical issue for software development and considered ubiquitous to most software projects across all industry segments
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 657dc145-ed1e-4fea-b3d7-f08c4c30fe94
- security incurs extra costs as it is frequently seen as an “after-thought” instead of an actual priority in the software development life cycle
ls-type:: annotation
hl-page:: 1
hl-color:: green
id:: 657dc170-7bea-4bff-bae2-a4de42595c02
- intersection between TD and security
ls-type:: annotation
hl-page:: 1
hl-color:: blue
id:: 657dc187-f390-45fe-986f-312a1ccc2ab6
- significant part of TD is explicitly reported by developers themselves in the form of “self-admissions”, namely through software artefacts such as code comments
ls-type:: annotation
hl-page:: 1
hl-color:: blue
id:: 657dc1ad-caf0-4cff-8619-2ae58d6fbd8a
- Particularly, an attacker could take advantage of security pointers disclosed inside these sources (e.g., a code comment like “TODO: Make it thread-safe”) to spot exploitable weaknesses in the system threatening its availability, confidentiality and integrity.
ls-type:: annotation
hl-page:: 1
hl-color:: purple
id:: 657dc1e2-9695-46ff-b97d-1149ee389da5
- the security implications of SATD have not been investigated nor documented throughout the literature up to our knowledge
ls-type:: annotation
hl-page:: 1
hl-color:: blue
id:: 657dc427-af89-4c6b-bce5-4cb9d1a4c390
- implications of security pointers inside SATD instances across multiple sources
ls-type:: annotation
hl-page:: 2
hl-color:: purple
id:: 657dc6fb-e377-4918-99cb-750ab2872eaa
- whether explicit references to security vulnerabilities inside code comments, commits, issue reports, and pull requests can help characterise exploitable weaknesses inside Open-Source Software (OSS
ls-type:: annotation
hl-page:: 2
hl-color:: blue
id:: 657dc710-9843-4cbd-ac68-61370542bd06
- OSS projects and repositories as they become easy targets of security attacks by making their artefacts visible and available to the public in general
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 657dc74f-1a59-490f-89d9-dd3bd5143987
- RQ1: Can SATD sources contain pointers to security weaknesses and vulnerabilities inside OSS repositories?
ls-type:: annotation
hl-page:: 2
hl-color:: blue
id:: 657dc794-12d3-4c51-91b8-77e5a5ef87d4
- 546 security-relevant SATD candidates and inspected them manually for security pointers
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 657dc7a1-e7f0-4bcc-af73-58094e6608af
- 201 Security Self-Admitted Technical Debt (SSATD) observations that we considered for further analysis
ls-type:: annotation
hl-page:: 2
hl-color:: yellow
id:: 657dc7ac-5da8-4f6f-b13d-53927c27ef57
- RQ2: Which particular weakness and vulnerabilities are frequently exposed through different SATD sources?
ls-type:: annotation
hl-page:: 2
hl-color:: blue
id:: 657dc7d0-92a6-4e6b-af25-a2a30bff0079
- 25 different CWE types across commit messages, code comments, pull requests, and issue reports. Moreover, 8 of these 25 CWEs appear listed among MITREs Top-25 most dangerous software weaknesses in 2023.
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 657dc806-5f06-4633-a890-e5639a826fa5
- RQ3: What is developers perspective on security-related SATD in OSS repositories?
ls-type:: annotation
hl-page:: 2
hl-color:: blue
id:: 657dc80c-3168-4d1e-a104-2ae61b0ce9b4
- many practitioners engage with this practice, although they recognise it as potentially risky.
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 657dc827-0c7e-4b4b-8852-afdd509477af
- a few publications in the current literature explore the interface between software security and TD
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 657dc8b7-d222-40d5-8d66-705aaaccff4b
- they suggest that tools/methods such as code reviews and threat modelling are suitable to spot internal quality issues in software requirements, coding, architecture, and testing
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 657dc8ed-8198-455d-b95c-6e3f183b7401
- They conclude that TD pointers can help improve the performance of Machine Learning (ML) models for vulnerability prediction.
ls-type:: annotation
hl-page:: 2
hl-color:: green
id:: 657dca95-443e-4a10-8e43-8bca892cb0ba
- more than 55% of self-admissions in the form of code comments correspond to insecure implementations/snippets
ls-type:: annotation
hl-page:: 2
hl-color:: blue
id:: 657dcabf-d2aa-4545-b8ea-0ce2982bda30