We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:

Download:

Current browse context:

cs.SE

Change to browse by:

cs

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Software Engineering

Title: An Exploratory Study on Regression Vulnerabilities

Abstract: Background: Security regressions are vulnerabilities introduced in a previously unaffected software system. They often happen as a result of source code changes (e.g., a bug fix) and can have severe effects.
Aims: To increase the understanding of security regressions. This is an important step in developing secure software engineering.
Method: We perform an exploratory, mixed-method case study of Mozilla. First, we analyze 78 regression vulnerabilities and 72 bug reports where a bug fix introduced a regression vulnerability at Mozilla. We investigate how developers interact in these bug reports, how they perform the changes, and under what conditions they introduce regression vulnerabilities. Second, we conduct five semi-structured interviews with as many Mozilla developers involved in the vulnerability-inducing bug fixes.
Results: Software security is not discussed during bug fixes. Developers' main concerns are the complexity of the bug at hand and the community pressure to fix it. Moreover, developers do not to worry about regression vulnerabilities and assume tools will detect them. Indeed, dynamic analysis tools helped finding around 30% of regression vulnerabilities at Mozilla.
Conclusions: These results provide evidence that, although tool support helps identify regression vulnerabilities, it may not be enough to ensure security during bug fixes. Furthermore, our results call for further work on the security tooling support and how to integrate them during bug fixes.
Data and materials: this https URL
Comments: This paper has been accepted at ESEM 2022 (16th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement)
Subjects: Software Engineering (cs.SE)
Cite as: arXiv:2207.01942 [cs.SE]
  (or arXiv:2207.01942v1 [cs.SE] for this version)

Submission history

From: Alberto Bacchelli [view email]
[v1] Tue, 5 Jul 2022 10:31:30 GMT (345kb,D)

Link back to: arXiv, form interface, contact.