Where do developers admit their security-related concerns?

• URL: http://arxiv.org/abs/2405.10902v1
• Date: Fri, 17 May 2024 16:43:58 GMT
• Title: Where do developers admit their security-related concerns?
• Authors: Moritz Mock, Thomas Forrer, Barbara Russo,
• Abstract summary: We analyzed different sources of code documentation from four large-scale, real-world, open-source projects in an industrial setting. We found that developers prefer to document security concerns in source code comments and issue trackers.
• Score: 0.8180494308743708
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: Developers use different means to document the security concerns of their code. Because of all of these opportunities, they may forget where the information is stored, or others may not be aware of it, and leave it unmaintained for so long that it becomes obsolete, if not useless. In this work, we analyzed different sources of code documentation from four large-scale, real-world, open-source projects in an industrial setting to understand where developers report their security concerns. In particular, we manually inspected 2.559 instances taken from source code comments, commit messages, and issue trackers. Overall, we found that developers prefer to document security concerns in source code comments and issue trackers. We also found that the longer the comments stay unfixed, the more likely they remain unfixed. Thus, to create awareness among developers, we implemented a pipeline to remind them about the introduction or removal of comments pointing to a security problem.

Related papers

• RedCode: Risky Code Execution and Generation Benchmark for Code Agents [50.81206098588923]
  RedCode is a benchmark for risky code execution and generation. RedCode-Exec provides challenging prompts that could lead to risky code execution. RedCode-Gen provides 160 prompts with function signatures and docstrings as input to assess whether code agents will follow instructions.
  arXiv  Detail & Related papers  (2024-11-12T13:30:06Z)
• Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
  Apache Log4J was found to be vulnerable to remote code execution attacks. More than 35,000 packages were forced to update their Log4J libraries with the latest version. It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
  arXiv  Detail & Related papers  (2024-11-12T01:55:51Z)
• Understanding Code Understandability Improvements in Code Reviews [79.16476505761582]
  We analyzed 2,401 code review comments from Java open-source projects on GitHub. 83.9% of suggestions for improvement were accepted and integrated, with fewer than 1% later reverted.
  arXiv  Detail & Related papers  (2024-10-29T12:21:23Z)
• Drop it All or Pick it Up? How Developers Responded to the Log4JShell Vulnerability [5.164262886682181]
  We explore the prolific and possibly one of the cases of the Log4JShell, a vulnerability that has the highest severity rating ever. Our study confirms that developers show a quick response taking from 5 to 6 days. Instead of dropping everything, surprisingly developer activities tend to increase for all pending issues and PRs.
  arXiv  Detail & Related papers  (2024-07-05T05:33:10Z)
• Time to Separate from StackOverflow and Match with ChatGPT for Encryption [0.09208007322096533]
  Security is a top concern among developers, but security issues are pervasive in code snippets. ChatGPT can effectively aid developers when they engage with it properly.
  arXiv  Detail & Related papers  (2024-06-10T10:56:59Z)
• DevEval: A Manually-Annotated Code Generation Benchmark Aligned with Real-World Code Repositories [83.5195424237358]
  Existing benchmarks are poorly aligned with real-world code repositories. We propose a new benchmark named DevEval, which has three advances. DevEval comprises 1,874 testing samples from 117 repositories, covering 10 popular domains.
  arXiv  Detail & Related papers  (2024-05-30T09:03:42Z)
• Are your comments outdated? Towards automatically detecting code-comment consistency [3.204922482708544]
  Outdated comments are dangerous and harmful and may mislead subsequent developers. We propose a learning-based method, called CoCC, to detect the consistency between code and comment. Experiment results show that CoCC can effectively detect outdated comments with precision over 90%.
  arXiv  Detail & Related papers  (2024-03-01T03:30:13Z)
• Toward Effective Secure Code Reviews: An Empirical Study of Security-Related Coding Weaknesses [14.134803943492345]
  We conducted an empirical case study in two large open-source projects, OpenSSL and PHP. Based on 135,560 code review comments, we found that reviewers raised security concerns in 35 out of 40 coding weakness categories. Some coding weaknesses related to past vulnerabilities, such as memory errors and resource management, were discussed less often than the vulnerabilities.
  arXiv  Detail & Related papers  (2023-11-28T00:49:00Z)
• Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection [69.59980270078067]
  We explore the untargeted backdoor watermarking scheme, where the abnormal model behaviors are not deterministic. We also discuss how to use the proposed untargeted backdoor watermark for dataset ownership verification.
  arXiv  Detail & Related papers  (2022-09-27T12:56:56Z)
• Deep Just-In-Time Inconsistency Detection Between Comments and Source Code [51.00904399653609]
  In this paper, we aim to detect whether a comment becomes inconsistent as a result of changes to the corresponding body of code. We develop a deep-learning approach that learns to correlate a comment with code changes. We show the usefulness of our approach by combining it with a comment update model to build a more comprehensive automatic comment maintenance system.
  arXiv  Detail & Related papers  (2020-10-04T16:49:28Z)
• Predicting Vulnerability In Large Codebases With Deep Code Representation [6.357681017646283]
  Software engineers write code for various modules, quite often, various types of errors get introduced. Same or similar issues/bugs, which were fixed in the past (although in different modules), tend to get introduced in production code again. We developed a novel AI-based system which uses the deep representation of Abstract Syntax Tree (AST) created from the source code and also the active feedback loop.
  arXiv  Detail & Related papers  (2020-04-24T13:18:35Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.