Toward effective secure code reviews: An empirical study of security-related coding weaknesses

Author

Wachiraphan CHAROENWET
Patanamon THONGTANUNAM
Thuan PHAM
Christoph TREUDE, Singapore Management UniversityFollow

Publication Type

Journal Article

Version

acceptedVersion

Publication Date

7-2024

Abstract

Identifying security issues early is encouraged to reduce the latent negative impacts on software systems. Code review is a widely-used method that allows developers to manually inspect modified code, catching security issues during a software development cycle. However, existing code review studies often focus on known vulnerabilities, neglecting coding weaknesses, which can introduce real-world security issues that are more visible through code review. The practices of code reviews in identifying such coding weaknesses are not yet fully investigated. To better understand this, we conducted an empirical case study in two large open-source projects, OpenSSL and PHP. Based on 135,560 code review comments, we found that reviewers raised security concerns in 35 out of 40 coding weakness categories. Surprisingly, some coding weaknesses related to past vulnerabilities, such as memory errors and resource management, were discussed less often than the vulnerabilities. Developers attempted to address raised security concerns in many cases (39%-41%), but a substantial portion was merely acknowledged (30%-36%), and some went unfixed due to disagreements about solutions (18%-20%). This highlights that coding weaknesses can slip through code review even when identified. Our findings suggest that reviewers can identify various coding weaknesses leading to security issues during code reviews. However, these results also reveal shortcomings in current code review practices, indicating the need for more effective mechanisms or support for increasing awareness of security issue management in code reviews.

Keywords

Secure Code Review, Code Review, Vulnerability, Coding, Weakness, Software Weakness

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Areas of Excellence

Digital transformation

Publication

Empirical Software Engineering

Volume

29

Issue

4

First Page

1

Last Page

47

ISSN

1382-3256

Identifier

10.1007/s10664-024-10496-y

Publisher

Springer

Citation

CHAROENWET, Wachiraphan; THONGTANUNAM, Patanamon; PHAM, Thuan; and TREUDE, Christoph. Toward effective secure code reviews: An empirical study of security-related coding weaknesses. (2024). Empirical Software Engineering. 29, (4), 1-47.
Available at: https://ink.library.smu.edu.sg/sis_research/9173

Copyright Owner and License

Authors CC-BY

Creative Commons License

This work is licensed under a Creative Commons Attribution 3.0 License.

Additional URL

https://doi.org/10.1007/s10664-024-10496-y