Visible to the public Identification of the Impacts of Code Changes on the Security of Software

TitleIdentification of the Impacts of Code Changes on the Security of Software
Publication TypeConference Paper
Year of Publication2019
AuthorsBen Othmane, Lotfi, Jamil, Ameerah-Muhsina, Abdelkhalek, Moataz
Conference Name2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)
Keywordsassurance case elements, code change impact, code review, composability, electronic commerce, enterprise resource planning, incremental development, Java, monitored security functions, Monitoring, Open Source Software, open-source e-commerce software application, open-source ERP software application, pubcrawl, public domain software, safety-critical software, Scalability, security, security assessment time, security assurance case, security assurance cases, security requirements, security state, software assurance, software code, software lifetime, software maintenance, software security, source code (software), Tools, Unified modeling language
AbstractCompanies develop their software in versions and iterations. Ensuring the security of each additional version using code review is costly and time consuming. This paper investigates automated tracing of the impacts of code changes on the security of a given software. To this end, we use call graphs to model the software code, and security assurance cases to model the security requirements of the software. Then we relate assurance case elements to code through the entry point methods of the software, creating a map of monitored security functions. This mapping allows to evaluate the security requirements that are affected by code changes. The approach is implemented in a set of tools and evaluated using three open-source ERP/E-commerce software applications. The limited evaluation showed that the approach is effective in identifying the impacts of code changes on the security of the software. The approach promises to considerably reduce the security assessment time of the subsequent releases and iterations of software, keeping the initial security state throughout the software lifetime.
DOI10.1109/COMPSAC.2019.10268
Citation Keyben_othmane_identification_2019