Title :
When a Patch Goes Bad: Exploring the Properties of Vulnerability-Contributing Commits
Author :
Meneely, Andrew ; Srinivasan, H. ; Musa, Afiqah ; Rodriguez Tejeda, Alberto ; Mokary, Matthew ; Spates, Brian
Author_Institution :
Dept. of Software Eng., Rochester Inst. of Technol., Rochester, NY, USA
Abstract :
Security is a harsh reality for software teams today. Developers must engineer secure software by preventing vulnerabilities, which are design and coding mistakes that have security consequences. Even in open source projects, vulnerable source code can remain unnoticed for years. In this paper, we traced 68 vulnerabilities in the Apache HTTP server back to the version control commits that contributed the vulnerable code originally. We manually found 124 Vulnerability-Contributing Commits (VCCs), spanning 17 years. In this exploratory study, we analyzed these VCCs quantitatively and qualitatively with the over-arching question: "What could developers have looked for to identify security concerns in this commit?" Specifically, we examined the size of the commit via code churn metrics, the amount developers overwrite each others\´ code via interactive churn metrics, exposure time between VCC and fix, and dissemination of the VCC to the development community via release notes and voting mechanisms. Our results show that VCCs are large: more than twice as much code churn on average than non-VCCs, even when normalized against lines of code. Furthermore, a commit was twice as likely to be a VCC when the author was a new developer to the source code. The insight from this study can help developers understand how vulnerabilities originate in a system so that security-related mistakes can be prevented or caught in the future.
Keywords :
security of data; Apache HTTP server; VCC; code churn metrics; coding mistakes; interactive churn metrics; open source projects; secure software; security consequences; security related mistakes; software teams; vulnerability contributing commits; vulnerable source code; Context; Control systems; Encoding; Measurement; Security; Servers; Software; churn; empirical; socio-technical; vulnerability;
Conference_Titel :
Empirical Software Engineering and Measurement, 2013 ACM / IEEE International Symposium on
Conference_Location :
Baltimore, MD
Print_ISBN :
978-0-7695-5056-5
DOI :
10.1109/ESEM.2013.19