Conceitos Básicos
The author explores the security implications of Self-Admitted Technical Debt (SATD) by analyzing its presence in software artifacts and its potential risks, highlighting the importance of safeguarding against vulnerabilities.
Resumo
The study investigates how developers disclose security pointers in SATD sources, mapping them to Common Weakness Enumeration (CWE) identifiers. It reveals that SATD instances can indicate vulnerabilities, with 25 CWE types identified, including top dangerous ones. Developers engage in this practice to promote a security culture but acknowledge its risks.
The research methodology involved analyzing a dataset of 8,812 SATD instances and conducting an online survey with 222 OSS practitioners. Results show that security pointers are prevalent across various sources like code comments, commit messages, pull requests, and issue sections. Motivations for disclosing security pointers include improving project quality, compliance with regulations, facilitating collaboration, self-reminders, and promoting a security culture.
Participants expressed concerns about the risks associated with disclosing security pointers in SATD sources. These risks include exposing vulnerabilities, leading to security misconceptions, and potentially exposing sensitive information to unauthorized parties. The study suggests implications for research and practice in enhancing vulnerability prediction methods using SSATD sources and prioritizing TD repayment considering security weaknesses.
Estatísticas
Overall, 25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections.
8 of these CWEs appear among MITRE’s Top-25 most dangerous ones.
We gathered 201 SATD instances through the dataset analysis.
Citações
"Security pointers can help improve the quality of code reviews by providing reviewers with information about potential security risks." - Participant P60
"If they are picked up by bad actors and exploited, this is risky." - Participant P91
"Security pointers may contain sensitive information such as passwords... that can be exposed to unauthorized parties if not handled properly." - Participant P127