Fri 27 Oct 2023 11:20 - 11:40 at Rhythms 2 - 5A - Code review Chair(s): Eray Tüzün

Background: Despite the widespread use of automated security defect detection tools, software projects still contain many security defects that could result in serious damage. Such tools are largely context-insensitive and may not cover all possible scenarios in testing potential issues, which makes them susceptible to missing complex security defects. Hence, thorough detection entails a synergistic cooperation between these tools and human-intensive detection techniques, including code review. Code review is widely recognized as a crucial and effective practice for identifying security defects. Aim: This work aims to empirically investigate security defect detection through code review. Method: To this end, we conducted an empirical study by analyzing code review comments derived from four projects in the OpenStack and Qt communities. Through manually checking 20,995 review comments obtained by keyword-based search, we identified 614 comments as security-related. Results: Our results show that (1) security defects are not prevalently discussed in code review, (2) more than half of the reviewers provided explicit fixing strategies/solutions to help developers fix security defects, (3) developers tend to follow reviewers’ suggestions and action the changes, (4) Not worth fixing the defect now and Disagreement between the developer and the reviewer are the main causes for not resolving security defects. Conclusions: Our research results demonstrate that (1) software security practices should combine manual code review with automated detection tools, achieving a more comprehensive coverage to identifying and addressing security defects, and (2) promoting appropriate standardization of practitioners’ behaviors during code review remains necessary for enhancing software security.

Fri 27 Oct

Displayed time zone: Central Time (US & Canada) change

10:40 - 12:15
10:40
20m
Full-paper
ToxiSpanSE: An Explainable Toxicity Detection in Code Review Comments
ESEM Technical Papers
Jaydeb Sarker Department of Computer Science, Wayne State University, Sayma Sultana Wayne State University, Steven Wilson , Amiangshu Bosu Wayne State University
Pre-print Media Attached
11:00
20m
Full-paper
Towards Automated Classification of Code Review Feedback to Support Analytics
ESEM Technical Papers
Asif Kamal Turzo Wayne State University, Fahim Faysal , Ovi Poddar , Jaydeb Sarker Department of Computer Science, Wayne State University, Anindya Iqbal Bangladesh University of Engineering and Technology Dhaka, Bangladesh, Amiangshu Bosu Wayne State University
Pre-print Media Attached
11:20
20m
Full-paper
Security Defect Detection via Code Review: A Study of the OpenStack and Qt Communities
ESEM Technical Papers
Jiaxin Yu , Liming Fu Wuhan University, Peng Liang Wuhan University, China, Amjed Tahir Massey University, Mojtaba Shahin RMIT University, Australia
Link to publication Pre-print Media Attached
11:40
15m
Vision and Emerging Results
Exploring the Advances in Identifying Useful Code Review Comments
Emerging Results, Vision and Reflection Papers Track
Sharif Ahmed Boise State University, USA, Nasir Eisty Boise State University
11:55
10m
Journal Early-Feedback
Using a Balanced Scorecard to Identify Opportunities to Improve Code Review Effectiveness: An Industrial Experience Report
ESEM Journal-First Papers
Masum Hasan , Anindya Iqbal Bangladesh University of Engineering and Technology Dhaka, Bangladesh, Mohammad Rafid Ul Islam , Ajm Imtiajur Rahman , Amiangshu Bosu Wayne State University
12:05
10m
Journal Early-Feedback
A Critical Comparison on Six Static Analysis Tools: Detection, Agreement, and Precision
ESEM Journal-First Papers
Valentina Lenarduzzi University of Oulu, Fabiano Pecorelli Jheronimus Academy of Data Science, Nyyti Saarimäki Tampere University, Savanna Lujan Tampere University, Fabio Palomba University of Salerno