Dismal Code: Studying the Evolution of Security Bugs
Authors:
Dimitris Mitropoulos, Vassilios Karakoidas, and Panos Louridas, Athens University of Economics and Business; Georgios Gousios, Delft University of Technology; Diomidis Spinellis, Athens University of Economics and Business
Abstract:
- Background. Security bugs are critical programming errors that can lead to serious vulnerabilities in software. Such bugs may allow an attacker to take over an application, steal data or prevent the application from working at all.
- Aim. We used the projects stored in the Maven repository to study the characteristics of security bugs individually and in relation to other software bugs. Specifically, we studied the evolution of security bugs through time. In addition, we examined their persistence and their relationship with a) the size of the corresponding version, and b) other bug categories.
- Method. We analyzed every project version of the Maven repository by using FindBugs, a popular static analysis tool. To see how security bugs evolve over time we took advantage of the repository's project history and dependency data.
- Results. Our results indicate that there is no simple rule governing the number of security bugs as a project evolves. In particular, we cannot say that across projects security-related defect counts increase or decrease significantly over time. Furthermore, security bugs are not eliminated in a way that is particularly different from the other bugs. In addition, the relation of security bugs with a project's size appears to be different from the relation of the bugs coming from other categories. Finally, even if bugs seem to have similar behaviour, severe security bugs seem to be unassociated with other bug categories.
- Conclusions. Our findings indicate that further research should be done to analyze the evolution of security bugs. Given the fact that our experiment included only Java projects, similar research could be done for another ecosystem. Finally, the fact that projects have their own idiosyncrasies concerning security bugs, could help us find the common characteristics of the projects where security bugs increase over time.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {179993,
author = {Dimitris Mitropoulos and Vassilios Karakoidas and Panos Louridas and Georgios Gousios and Diomidis Spinellis},
title = {Dismal Code: Studying the Evolution of Security Bugs},
booktitle = {LASER 2013 (LASER 2013)},
year = {2013},
isbn = {978-1-931971-06-5},
address = {Arlington, VA},
pages = {37--48},
url = {https://www.usenix.org/laser2013/program/mitropoulos},
publisher = {USENIX Association},
month = oct
}
author = {Dimitris Mitropoulos and Vassilios Karakoidas and Panos Louridas and Georgios Gousios and Diomidis Spinellis},
title = {Dismal Code: Studying the Evolution of Security Bugs},
booktitle = {LASER 2013 (LASER 2013)},
year = {2013},
isbn = {978-1-931971-06-5},
address = {Arlington, VA},
pages = {37--48},
url = {https://www.usenix.org/laser2013/program/mitropoulos},
publisher = {USENIX Association},
month = oct
}
connect with us