University of Oulu

Iannone, E., Codabux, Z., Lenarduzzi, V. et al. Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security. Empir Software Eng 28, 89 (2023).

Rubbing salt in the wound? : a large-scale investigation into the effects of refactoring on security

Saved in:
Author: Iannone, Emanuele1; Codabux, Zadia2; Lenarduzzi, Valentina3;
Organizations: 1SeSa Lab, University of Salerno, Via Giovanni Paolo II, 132, 84084, Fisciano, SA, Italy
2University of Saskatchewan, Saskatoon, SK, Canada
3University of Oulu, Pentti Kaiteran katu 1, 90570, Oulu, Finland
Format: article
Version: published version
Access: open
Online Access: PDF Full Text (PDF, 3.4 MB)
Persistent link:
Language: English
Published: Springer Nature, 2023
Publish Date: 2023-06-29


Software refactoring is a behavior-preserving activity to improve the source code quality without changing its external behavior. Unfortunately, it is often a manual and error-prone task that may induce regressions in the source code. Researchers have provided initial compelling evidence of the relation between refactoring and defects, yet little is known about how much it may impact software security. This paper bridges this knowledge gap by presenting a large-scale empirical investigation into the effects of refactoring on the security profile of applications. We conduct a three-level mining software repository study to establish the impact of 14 refactoring types on (i) security-related metrics, (ii) security technical debt, and (iii) the introduction of known vulnerabilities. The study covers 39 projects and a total amount of 7,708 refactoring commits. The key results show that refactoring has a limited connection to security. However, Inline Method and Extract Interface statistically contribute to improving some security aspects connected to encapsulating security-critical code components. Extract Superclass and Pull Up Attribute refactoring are commonly found in commits violating specific security best practices for writing secure code. Finally, Extract Superclass and Extract & Move Method refactoring tend to occur more often in commits contributing to the introduction of vulnerabilities. We conclude by distilling lessons learned and recommendations for researchers and practitioners.

see all

Series: Empirical software engineering
ISSN: 1382-3256
ISSN-E: 1573-7616
ISSN-L: 1382-3256
Volume: 28
Issue: 4
Article number: 89
DOI: 10.1007/s10664-023-10287-x
Type of Publication: A1 Journal article – refereed
Field of Science: 113 Computer and information sciences
Funding: Fabio and Zadia gratefully acknowledge the support of the Swiss National Science Foundation (SNSF) through the SNF Project No. PZ00P2_186090 (TED) and the Natural Sciences and Engineering Research Council of Canada (RGPIN-2021-04232 and DGECR-2021-00283), respectively. This work has been partially supported by the EMELIOT national research project, funded by the MUR under the PRIN 2020 program (Contract 2020W3A5FY). This work was partially supported by project SERICS (PE00000014) under the NRRP MUR program funded by the EU - NGEU. Open access funding provided by Università degli Studi di Salerno within the CRUI-CARE Agreement.
Copyright information: © The Author(s) 2023. This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit