Standard

A security perspective on code review : The case of Chromium. / di Biase, Marco; Bruntink, Magiel; Bacchelli, Alberto.

2016 IEEE 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SACM). ed. / L. O' Conner. Los Alamitos : IEEE, 2016. p. 21-30.

Research output: Scientific - peer-reviewConference contribution

Harvard

di Biase, M, Bruntink, M & Bacchelli, A 2016, A security perspective on code review: The case of Chromium. in L O' Conner (ed.), 2016 IEEE 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SACM). IEEE, Los Alamitos, pp. 21-30, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (Scam 2016), Raleigh, NC, United States, 2-3 October. DOI: 10.1109/SCAM.2016.30

APA

di Biase, M., Bruntink, M., & Bacchelli, A. (2016). A security perspective on code review: The case of Chromium. In L. O' Conner (Ed.), 2016 IEEE 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SACM). (pp. 21-30). Los Alamitos: IEEE. DOI: 10.1109/SCAM.2016.30

Vancouver

di Biase M, Bruntink M, Bacchelli A. A security perspective on code review: The case of Chromium. In O' Conner L, editor, 2016 IEEE 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SACM). Los Alamitos: IEEE. 2016. p. 21-30. Available from, DOI: 10.1109/SCAM.2016.30

Author

di Biase, Marco; Bruntink, Magiel; Bacchelli, Alberto / A security perspective on code review : The case of Chromium.

2016 IEEE 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SACM). ed. / L. O' Conner. Los Alamitos : IEEE, 2016. p. 21-30.

Research output: Scientific - peer-reviewConference contribution

BibTeX

@inbook{971dc100f7f94f34abefd3ed7f02b57d,
title = "A security perspective on code review: The case of Chromium",
keywords = "Code review, Empirical software engineering, Mining software repositories, Modern code review, Security flaw, Software security",
author = "{di Biase}, Marco and Magiel Bruntink and Alberto Bacchelli",
year = "2016",
doi = "10.1109/SCAM.2016.30",
isbn = "978-1-5090-3848-0",
pages = "21--30",
editor = "{O' Conner}, L.",
booktitle = "2016 IEEE 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SACM)",
publisher = "IEEE",
address = "United States",

}

RIS

TY - CHAP

T1 - A security perspective on code review

T2 - The case of Chromium

AU - di Biase,Marco

AU - Bruntink,Magiel

AU - Bacchelli,Alberto

PY - 2016

Y1 - 2016

N2 - Modern Code Review (MCR) is an established software development process that aims to improve software quality. Although evidence showed that higher levels of review coverage relates to less post-release bugs, it remains unknown the effectiveness of MCR at specifically finding security issues.We present a work we conduct aiming to fill that gap by exploring the MCR process in the Chromium open source project. We manually analyzed large sets of registered (114 cases) and missed (71 cases) security issues by backtracking in the project’s issue, review, and code histories. This enabled us to qualify MCR in Chromium from the security perspective from several angles: Are security issues being discussed frequently? What categories of security issues are often missed or found? What characteristics of code reviews appear relevant to the discovery rate?Within the cases we analyzed, MCR in Chromium addresses security issues at a rate of 1% of reviewers’ comments. Chromium code reviews mostly tend to miss language-specific issues (e.g., C++ issues and buffer overflows) and domain-specific ones (e.g., such as Cross-Site Scripting); when code reviews address issues, mostly they address those that pertain to the latter type. Initial evidence points to reviews conducted by more than 2 reviewers being more successful at finding security issues.

AB - Modern Code Review (MCR) is an established software development process that aims to improve software quality. Although evidence showed that higher levels of review coverage relates to less post-release bugs, it remains unknown the effectiveness of MCR at specifically finding security issues.We present a work we conduct aiming to fill that gap by exploring the MCR process in the Chromium open source project. We manually analyzed large sets of registered (114 cases) and missed (71 cases) security issues by backtracking in the project’s issue, review, and code histories. This enabled us to qualify MCR in Chromium from the security perspective from several angles: Are security issues being discussed frequently? What categories of security issues are often missed or found? What characteristics of code reviews appear relevant to the discovery rate?Within the cases we analyzed, MCR in Chromium addresses security issues at a rate of 1% of reviewers’ comments. Chromium code reviews mostly tend to miss language-specific issues (e.g., C++ issues and buffer overflows) and domain-specific ones (e.g., such as Cross-Site Scripting); when code reviews address issues, mostly they address those that pertain to the latter type. Initial evidence points to reviews conducted by more than 2 reviewers being more successful at finding security issues.

KW - Code review

KW - Empirical software engineering

KW - Mining software repositories

KW - Modern code review

KW - Security flaw

KW - Software security

U2 - 10.1109/SCAM.2016.30

DO - 10.1109/SCAM.2016.30

M3 - Conference contribution

SN - 978-1-5090-3848-0

SP - 21

EP - 30

BT - 2016 IEEE 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SACM)

PB - IEEE

ER -

ID: 9684860