D. Gigante et al., "Resolving Security Issues via Quality-Oriented Refactoring: A User Study," 2023 ACM/IEEE International Conference on Technical Debt (TechDebt), Melbourne, Australia, 2023, pp. 82-91, doi: 10.1109/TechDebt59074.2023.00016.
Resolving security issues via quality-oriented refactoring : a user study
|Author:||Gigante, Domenico1; Pecorelli, Fabiano2,3; Barletta, Vita Santa1;|
1University of Bari Aldo Moro
3Jheronimus Academy of Data Engineering
4Vorarlberg University of Applied Sciences
5University of Oulu
|Online Access:||PDF Full Text (PDF, 0.3 MB)|
|Persistent link:|| http://urn.fi/urn:nbn:fi-fe20231102142398
Institute of Electrical and Electronics Engineers,
|Publish Date:|| 2023-11-02
Software quality is crucial in software development: if not addressed in early phases of the software development life cycle, it may even lead to technical bankruptcy, i.e., a situation in which modifications cost more than redeveloping the application from scratch. In addition, code security must also be addressed to reduce software vulnerabilities and to comply with legal requirements. In this work, we aim to investigate the relationship between refactoring code quality and software security, with the purpose of understanding whether and to what extent improving software quality could have a positive impact on software security as well. Specifically, we investigate to what extent rule violations of a software quality tool such as SonarQube overlap with rule violations of a software vulnerability tool like Fortify Static Code Analyzer. We first compared the rules encoded in the quality models of both tools, to discover possible overlapping cases. Later, we compared the issues raised by both tools on a set of open source Java projects; we also investigated the cases in which a quality refactoring process impacts over software security (thus removing one or more vulnerabilities). We furthermore validated our results statistically. Our results show that resolving software quality issues might also resolve security issues but only in part: many security issues still persist in the source code; also, some quality aspects are more likely to be improved in respect to others. In addition, this empirical study uncovers rule co-occurrences between the two tools. This study confirms the need for using a security-oriented static analysis tool to enforce software security instead of relying only on a quality-oriented one. Results have highlighted important insights for practitioners.
|Pages:||82 - 91|
2023 ACM/IEEE International Conference on Technical Debt (TechDebt)
ACM/IEEE International Conference on Technical Debt (TechDebt)
|Type of Publication:||
A4 Article in conference proceedings
|Field of Science:||
113 Computer and information sciences
© 2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.