Dismal code: Studying the evolution of security bugs

Dimitris Mitropoulos, Vassilios Karakoidas, Panos Louridas, Georgios Gousios, Diomidis Spinellis

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

12 Citations (Scopus)

Abstract

Background. Security bugs are critical programming errors that can lead to serious vulnerabilities in software. Such bugs may allow an attacker to take over an application, steal data or prevent the application from working at all. Aim. We used the projects stored in the Maven repository to study the characteristics of security bugs individually and in relation to other software bugs. Specifically, we studied the evolution of security bugs through time. In addition, we examined their persistence and their relationship with a) the size of the corresponding version, and b) other bug categories. Method. We analyzed every project version of the Maven repository by using FindBugs, a popular static analysis tool. To see how security bugs evolve over time we took advantage of the repository's project history and dependency data. Results. Our results indicate that there is no simple rule governing the number of security bugs as a project evolves. In particular, we cannot say that across projects security-related defect counts increase or decrease significantly over time. Furthermore, security bugs are not eliminated in a way that is particularly different from the other bugs. In addition, the relation of security bugs with a project's size appears to be different from the relation of the bugs coming from other categories. Finally, even if bugs seem to have similar behaviour, severe security bugs seem to be unassociated with other bug categories. Conclusions. Our findings indicate that further research should be done to analyze the evolution of security bugs. Given the fact that our experiment included only Java projects, similar research could be done for another ecosystem. Finally, the fact that projects have their own idiosyncrasies concerning security bugs, could help us find the common characteristics of the projects where security bugs increase over time.

Original languageEnglish
Title of host publication2013 Workshop on Learning from Authoritative Security Experiment Results, LASER 2013
PublisherUSENIX Association
Pages37-48
Number of pages12
ISBN (Electronic)9781931971065
Publication statusPublished - 2013
Event2013 Workshop on Learning from Authoritative Security Experiment Results, LASER 2013 - Arlington, United States
Duration: 16 Oct 201317 Oct 2013

Conference

Conference2013 Workshop on Learning from Authoritative Security Experiment Results, LASER 2013
CountryUnited States
CityArlington
Period16/10/1317/10/13

Fingerprint

Dive into the research topics of 'Dismal code: Studying the evolution of security bugs'. Together they form a unique fingerprint.

Cite this