ICSE 2022 (series) / Technical Track /
Less is More: Supporting Developers in Vulnerability Detection during Code Review
Tue 10 May 2022 03:10 - 03:15 at ICSE room 3-odd hours - Software Security 1 Chair(s): Liliana Pasquale
Wed 11 May 2022 12:20 - 12:25 at ICSE room 2-even hours - Software Security 8 Chair(s): Barbara Russo
Thu 26 May 2022 09:00 - 09:05 at Room 301+302 - Papers 12: Software Testing 1 Chair(s): Barbora Buhnova
Wed 11 May 2022 12:20 - 12:25 at ICSE room 2-even hours - Software Security 8 Chair(s): Barbara Russo
Thu 26 May 2022 09:00 - 09:05 at Room 301+302 - Papers 12: Software Testing 1 Chair(s): Barbora Buhnova
Reviewing source code from a security perspective has proven to be a difficult task. Indeed, previous research has shown that developers often miss even popular and easy-to-detect vulnerabilities during code review. Initial evidence suggests that a significant cause may lie in the reviewers’ mental attitude and common practices. In this study, we investigate whether and how explicitly asking developers to focus on security during a code review affects the detection of vulnerabilities. Furthermore, we evaluate the effect of providing a security checklist to guide the security review. To this aim, we conduct an online experiment with 150 participants, of which 71% report to have three or more years of professional development experience. Our results show that simply asking reviewers to focus on security during the code review increases eight times the probability of vulnerability detection. The presence of a security checklist does not significantly improve the outcome further, even when the checklist is tailored to the change under review and the existing vulnerabilities in the change. These results provide evidence supporting the mental attitude hypothesis and call for further work on security checklists’ effectiveness and design.
| Preprint (icse22.pdf) | 1.6MiB |
Tue 10 MayDisplayed time zone: Eastern Time (US & Canada) change
Tue 10 May
Displayed time zone: Eastern Time (US & Canada) change
03:00 - 04:00 | Software Security 1Journal-First Papers / Technical Track at ICSE room 3-odd hours Chair(s): Liliana Pasquale University College Dublin & Lero | ||
03:00 5mTalk | Deep Learning based Vulnerability Detection: Are We There Yet? Journal-First Papers Saikat Chakraborty Columbia University, Rahul Krishna IBM Research, Yangruibo Ding Columbia University, Baishakhi Ray Columbia University Link to publication DOI Media Attached | ||
03:05 5mTalk | ReMoS: Reducing Defect Inheritance in Transfer Learning via Relevant Model Slicing Technical Track Ziqi Zhang Peking University, Yuanchun Li Microsoft Research, Jindong Wang Microsoft Research, Bingyan Liu Peking University, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University, Yunxin Liu Tsinghua University Pre-print Media Attached | ||
03:10 5mTalk | Less is More: Supporting Developers in Vulnerability Detection during Code Review Technical Track Larissa Braz University of Zurich, Christian Aeberhard University of Zurich, Gül Calikli University of Glasgow, Alberto Bacchelli University of Zurich Link to publication DOI Pre-print Media Attached File Attached | ||
03:15 5mTalk | Aper: Evolution-Aware Runtime Permission Misuse Detection for Android Apps Technical Track Sinan Wang Southern University of Science and Technology, Yibo Wang Northeastern University, Xian Zhan The Hong Kong Polytechnic University, Ying Wang Northeastern University, China, Yepang Liu Southern University of Science and Technology, Xiapu Luo Hong Kong Polytechnic University, Shing-Chi Cheung Hong Kong University of Science and Technology DOI Pre-print Media Attached | ||
Wed 11 MayDisplayed time zone: Eastern Time (US & Canada) change
Wed 11 May
Displayed time zone: Eastern Time (US & Canada) change
Thu 26 MayDisplayed time zone: Eastern Time (US & Canada) change
Thu 26 May
Displayed time zone: Eastern Time (US & Canada) change
09:00 - 10:30 | Papers 12: Software Testing 1Technical Track / NIER - New Ideas and Emerging Results / Journal-First Papers at Room 301+302 Chair(s): Barbora Buhnova Masaryk University | ||
09:00 5mTalk | Less is More: Supporting Developers in Vulnerability Detection during Code Review Technical Track Larissa Braz University of Zurich, Christian Aeberhard University of Zurich, Gül Calikli University of Glasgow, Alberto Bacchelli University of Zurich Link to publication DOI Pre-print Media Attached File Attached | ||
09:05 5mTalk | A Grounded Theory Based Approach to Characterize Software Attack Surfaces Technical Track sara moshtari Rochester Institute of Technology, Ahmet Okutan Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology Pre-print Media Attached | ||
09:10 5mTalk | SymTuner: Maximizing the Power of Symbolic Execution by Adaptively Tuning External ParametersDistinguished Paper Award Technical Track Sooyoung Cha Sungkyunkwan University, Myungho Lee Korea University, Seokhyun Lee Korea University, South Korea, Hakjoo Oh Korea University Pre-print Media Attached | ||
09:15 5mTalk | Free Lunch for Testing: Fuzzing Deep-Learning Libraries from Open Source Technical Track Anjiang Wei Stanford University, Yinlin Deng University of Illinois at Urbana-Champaign, Chenyuan Yang Nanjing University, Lingming Zhang University of Illinois at Urbana-Champaign Pre-print Media Attached | ||
09:20 5mTalk | Automatic Detection of Performance Bugs in Database Systems using Equivalent Queries Technical Track Xinyu Liu Georgia Institute of Technology, Qi Zhou Facebook, Joy Arulraj Georgia Institute of Technology, Alessandro Orso Georgia Tech Pre-print Media Attached | ||
09:25 5mTalk | Preempting Flaky Tests via Non-Idempotent-Outcome Tests Technical Track Anjiang Wei Stanford University, Pu Yi Peking University, Zhengxi Li University of Illinois Urbana-Champaign, Tao Xie Peking University, Darko Marinov University of Illinois at Urbana-Champaign, Wing Lam University of Illinois at Urbana-Champaign Pre-print Media Attached | ||
09:30 5mTalk | A Family of Experiments on Test-Driven Development Journal-First Papers Adrian Santos Parrilla University of Oulu, Sira Vegas Universidad Politecnica de Madrid, Oscar Dieste Universidad Politécnica de Madrid, Fernando Uyaguari ETAPA Telecommunications Company, Ayse Tosun Istanbul Technical University, Davide Fucci Blekinge Institute of Technology, Burak Turhan University of Oulu, Giuseppe Scanniello University of Basilicata, Simone Romano University of Bari, Itir Karac University of Oulu, Marco Kuhrmann Reutlingen University, Vladimir Mandić Faculty of Technical Sciences, University of Novi Sad, Robert Ramač Faculty of Technical Sciences, University of Novi Sad, Dietmar Pfahl University of Tartu, Christian Engblom Ericsson, Jarno Kyykka Ericsson, Kerli Rungi Testlio, Carolina Palomeque ETAPA Telecommunications Company, Jaroslav Spisak PAF, Markku Oivo University of Oulu, Natalia Juristo Universidad Politecnica de Madrid Link to publication DOI Pre-print Media Attached | ||
09:35 5mTalk | Towards Property-Based Tests in Natural Language NIER - New Ideas and Emerging Results Colin Gordon Drexel University Pre-print Media Attached | ||
09:40 5mTalk | Automated Testing of Software that Uses Machine Learning APIs Technical Track Chengcheng Wan The University of Chicago, Shicheng Liu University of Chicago, Sophie Xie University of California, Berkeley, Yifan Liu University of Chicago, Henry Hoffmann University of Chicago, Michael Maire University of Chicago, Shan Lu University of Chicago Pre-print Media Attached | ||
Information for Participants
Tue 10 May 2022 03:00 - 04:00 at ICSE room 3-odd hours - Software Security 1 Chair(s): Liliana Pasquale
Info for room ICSE room 3-odd hours:
Wed 11 May 2022 12:00 - 13:00 at ICSE room 2-even hours - Software Security 8 Chair(s): Barbara Russo
Info for room ICSE room 2-even hours: