4 research outputs found
Static analysis-based approaches for secure software development
Software security is a matter of major concern for software development enterprises that wish to deliver highly secure software products to their customers. Static analysis is considered one of the most effective mechanisms for adding security to software products. The multitude of static analysis tools that are available provide a large number of raw results that may contain security-relevant information, which may be useful for the production of secure software. Several mechanisms that can facilitate the production of both secure and reliable software applications have been proposed over the years. In this paper, two such mechanisms, particularly the vulnerability prediction models (VPMs) and the optimum checkpoint recommendation (OCR) mechanisms, are theoretically examined, while their potential improvement by using static analysis is also investigated. In particular, we review the most significant contributions regarding these mechanisms, identify their most important open issues, and propose directions for future research, emphasizing on the potential adoption of static analysis for addressing the identified open issues. Hence, this paper can act as a reference for researchers that wish to contribute in these subfields, in order to gain solid understanding of the existing solutions and their open issues that require further research
Exploring Technical Debt in Security Questions on Stack Overflow
Background: Software security is crucial to ensure that the users are
protected from undesirable consequences such as malware attacks which can
result in loss of data and, subsequently, financial loss. Technical Debt (TD)
is a metaphor incurred by suboptimal decisions resulting in long-term
consequences such as increased defects and vulnerabilities if not managed.
Although previous studies have studied the relationship between security and
TD, examining their intersection in developers' discussion on Stack Overflow
(SO) is still unexplored. Aims: This study investigates the characteristics of
security-related TD questions on SO. More specifically, we explore the
prevalence of TD in security-related queries, identify the security tags most
prone to TD, and investigate which user groups are more aware of TD. Method: We
mined 117,233 security-related questions on SO and used a deep-learning
approach to identify 45,078 security-related TD questions. Subsequently, we
conducted quantitative and qualitative analyses of the collected
security-related TD questions, including sentiment analysis. Results: Our
analysis revealed that 38% of the security questions on SO are security-related
TD questions. The most recurrent tags among the security-related TD questions
emerged as "security" and "encryption." The latter typically have a neutral
sentiment, are lengthier, and are posed by users with higher reputation scores.
Conclusions: Our findings reveal that developers implicitly discuss TD,
suggesting developers have a potential knowledge gap regarding the TD metaphor
in the security domain. Moreover, we identified the most common security topics
mentioned in TD-related posts, providing valuable insights for developers and
researchers to assist developers in prioritizing security concerns in order to
minimize TD and enhance software security.Comment: The 17th ACM/IEEE International Symposium on Empirical Software
Engineering and Measurement (ESEM), 202