Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
A study examining relationships between micro patterns and security vulnerabilities
Sultana K., Williams B., Bhowmik T.  Software Quality Journal 27 (1): 5-41, 2019. Type: Article
Date Reviewed: Nov 5 2020

Do you have an unlimited budget for code review and testing? Or can you ignore security vulnerabilities in the code? If not, you might be interested in this novel way of allocating code review and testing resources to better detect security vulnerabilities.

There is already an existing body of research on the correlation between architectural patterns and software defects. This paper focuses on micro patterns (defined for Java classes), looking at their relationship with security vulnerabilities. It outlines micro patterns already defined for Java classes, and analyzes which patterns are present in vulnerable and non-vulnerable versions of these classes across various versions of Apache Tomcat.

Tomcat is selected as the test case because it provides a list of all detected and fixed security vulnerabilities, assigned to individual classes involved. This allows the authors to see which micro patterns (and groupings of the two to three micro patterns) are associated with vulnerable and non-vulnerable classes. From the analysis, the paper identifies micro pattern triangles, where if two of the three micro patterns are present in a class, the class should be considered “at risk.” The risky triangles identified are: CompoundBox-Immutable-Implementor, Pool-Sink-Stateless, and Pool-Sink-LimitedSelf.

The paper does not claim that these patterns (or even their combinations) are unsafe as such, or that their use should be avoided, or any causality at all. The finding is only that such affected classes should get a more thorough review. The paper also identifies safe pairs of micro patterns--which are generally associated with a smaller amount of security vulnerabilities and perhaps do not need as thorough review as other parts.

This paper can be an interesting starting point in statistical code analysis with respect to security vulnerabilities; however, the results should be validated across more diverse code bases, beyond a single software project. Also, it would be highly interesting to see deeper exploration of the relationship between the micro pattern/pattern group presence and the security vulnerability presence, to see if there is any causality or if it’s just statistical correlation.

Reviewer:  Vladimir Mencl Review #: CR147099
Bookmark and Share
  Reviewer Selected
Editor Recommended
 
 
General (D.2.0 )
 
Would you recommend this review?
yes
no
Other reviews under "General": Date
Testing extended finite state machines using NSGA-III
Ţurlea A.  A-TEST 2019 (Proceedings of the 10th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation, Tallinn, Estonia,  Aug 26-27, 2019) 1-7, 2019. Type: Proceedings
Nov 19 2020
RML: runtime monitoring language: a system-agnostic DSL for runtime verification
Franceschini L.  Programming 2019 (Proceedings of the Conference Companion of the 3rd International Conference on Art, Science, and Engineering of Programming, Genova, Italy,  Apr 1-4, 2019) 1-3, 2019. Type: Proceedings
Nov 18 2020
Beginning Azure functions: building scalable and serverless apps
Sawhney R.,  Apress, New York, NY, 2019. 196 pp. Type: Book (978-1-484244-43-2)
Oct 23 2020
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright © 2000-2020 ThinkLoud, Inc.
Terms of Use
| Privacy Policy