Do you have an unlimited budget for code review and testing? Or can you ignore security vulnerabilities in the code? If not, you might be interested in this novel way of allocating code review and testing resources to better detect security vulnerabilities.
There is already an existing body of research on the correlation between architectural patterns and software defects. This paper focuses on micro patterns (defined for Java classes), looking at their relationship with security vulnerabilities. It outlines micro patterns already defined for Java classes, and analyzes which patterns are present in vulnerable and non-vulnerable versions of these classes across various versions of Apache Tomcat.
Tomcat is selected as the test case because it provides a list of all detected and fixed security vulnerabilities, assigned to individual classes involved. This allows the authors to see which micro patterns (and groupings of the two to three micro patterns) are associated with vulnerable and non-vulnerable classes. From the analysis, the paper identifies micro pattern triangles, where if two of the three micro patterns are present in a class, the class should be considered “at risk.” The risky triangles identified are: CompoundBox-Immutable-Implementor, Pool-Sink-Stateless, and Pool-Sink-LimitedSelf.
The paper does not claim that these patterns (or even their combinations) are unsafe as such, or that their use should be avoided, or any causality at all. The finding is only that such affected classes should get a more thorough review. The paper also identifies safe pairs of micro patterns--which are generally associated with a smaller amount of security vulnerabilities and perhaps do not need as thorough review as other parts.
This paper can be an interesting starting point in statistical code analysis with respect to security vulnerabilities; however, the results should be validated across more diverse code bases, beyond a single software project. Also, it would be highly interesting to see deeper exploration of the relationship between the micro pattern/pattern group presence and the security vulnerability presence, to see if there is any causality or if it’s just statistical correlation.
