Off-campus WSU users: To download campus access dissertations, please use the following link to log into our proxy server with your WSU access ID and password, then click the "Off-campus Download" button below.

Non-WSU users: Please talk to your librarian about requesting this dissertation through interlibrary loan.

Access Type

WSU Access

Date of Award

January 2023

Degree Type

Dissertation

Degree Name

Ph.D.

Department

Computer Science

First Advisor

Amiangshu Bosu

Abstract

Prior studies found peer code review useful in identifying security defects. That is why most of the commercial and open-source software (OSS) projects embraced peer code review and mandated the use of it in the software development life cycle. However, despite conducting mandatory peer code review practices, many security-critical OSS projects such as Chromium, Mozilla, and Qt are reporting a high number of post-release vulnerabilities to the Common Vulnerabilities and Exposures (CVE) database. Practitioners may wonder if there is any missing piece in the puzzle that leads code reviews to miss those security defects. To solve that, the primary objective of this dissertation study is to improve the effectiveness of peer code review in identifying security defects. To meet this goal, we empirically investigated-- (i) why security defects escape code reviews, (ii) what are the challenges developers face to conduct effective security code reviews, (iii) how to build effective security code review strategies, and (iv) how to make effective utilization of security experts during code reviews.

The results suggest that there are significant differences between the categories of security defects that are identified and that are missed during code reviews. A logistic regression model fitted on our dataset achieved an AUC score of 0.91 and identified nine code review attributes that influence the identification of security defects. To understand the challenges developers face to conduct effective security code reviews and build effective strategies, we sent an online survey to 5,697 developers identified via mining GitHub repositories of 37 OSS projects. The analysis of survey responses identifies five key reasons why developers miss security defects during code reviews. We identify the categories of security defects that developers find most difficult to identify during code reviews. In addition, we identify the resources that help developers build expertise in security code reviews, what are the most effective strategies to conduct security code reviews, and how the project management can produce effective security code reviewers. To improve the effective utilization of security experts during code reviews, we leveraged code review discussions where developers raise security concerns if they find any. We developed three types of classifiers-- the first type using only the code review comments, the second type using only the associated code contexts, and the third type is an ensemble of the two former types. Based on our stratified ten-fold cross-validations, the best-performing ensemble model achieves 88.4% accuracy and 79.8% F1-score on average to automatically identify security concerns during code reviews. We have also developed a prototype to automatically assign security experts to review security-critical code changes.

Off-campus Download

Share

COinS