Visible to the public Why Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project

TitleWhy Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project
Publication TypeConference Paper
Year of Publication2021
AuthorsPaul, Rajshakhar, Turzo, Asif Kamal, Bosu, Amiangshu
Conference Name2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)
Date Publishedmay
KeywordsChromium, code review, Computer bugs, Human Behavior, Logistics, Open Source Software, policy-based governance, pubcrawl, quality assurance, resilience, Resiliency, security, security weaknesses, software engineering, Vulnerability
AbstractPeer code review has been found to be effective in identifying security vulnerabilities. However, despite practicing mandatory code reviews, many Open Source Software (OSS) projects still encounter a large number of post-release security vulnerabilities, as some security defects escape those. Therefore, a project manager may wonder if there was any weakness or inconsistency during a code review that missed a security vulnerability. Answers to this question may help a manager pinpointing areas of concern and taking measures to improve the effectiveness of his/her project's code reviews in identifying security defects. Therefore, this study aims to identify the factors that differentiate code reviews that successfully identified security defects from those that missed such defects. With this goal, we conduct a case-control study of Chromium OS project. Using multi-stage semi-automated approaches, we build a dataset of 516 code reviews that successfully identified security defects and 374 code reviews where security defects escaped. The results of our empirical study suggest that the are significant differences between the categories of security defects that are identified and that are missed during code reviews. A logistic regression model fitted on our dataset achieved an AUC score of 0.91 and has identified nine code review attributes that influence identifications of security defects. While time to complete a review, the number of mutual reviews between two developers, and if the review is for a bug fix have positive impacts on vulnerability identification, opposite effects are observed from the number of directories under review, the number of total reviews by a developer, and the total number of prior commits for the file under review.
DOI10.1109/ICSE43902.2021.00124
Citation Keypaul_why_2021