Options
What can self-admitted technical debt tell us about security? A mixed-methods study
Publikationstyp
Conference Paper
Date Issued
2024
Sprache
English
Author(s)
Start Page
704
End Page
715
Citation
IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024
Contribution to Conference
IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024
Publisher DOI
Scopus ID
Publisher
Institute of Electrical and Electronics Engineers Inc.
ISBN
9798400705878
Self-Admitted Technical Debt (SATD) encompasses a wide array of sub-optimal design and implementation choices reported in software artefacts (e.g., code comments and commit messages) by developers themselves. Such reports have been central to the study of software maintenance and evolution over the last decades. However, they can also be deemed as dreadful sources of information on potentially exploitable vulnerabilities and security flaws. Objective: This work investigates the security implications of SATD from a technical and developer-centred perspective. On the one hand, it analyses whether security pointers disclosed inside SATD sources can be used to characterise vulnerabilities in Open-Source Software (OSS) projects and repositories. On the other hand, it delves into developers' perspectives regarding the motivations behind this practice, its prevalence, and its potential negative consequences. Method: We followed a mixed-methods approach consisting of (i) the analysis of a preexisting dataset containing 8,812 SATD instances and (ii) an online survey with 222 OSS practitioners. Results: We gathered 201 SATD instances through the dataset analysis and mapped them to different Common Weakness Enumeration (CWE) identifiers. Overall, 25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections, from which 8 appear among MITRE's Top-25 most dangerous ones. The survey shows that software practitioners often place security pointers across SATD artefacts to promote a security culture among their peers and help them spot flaky code sections, among other motives. However, they also consider such a practice risky as it may facilitate vulnerability exploits. Implications: Our findings suggest that preserving the contextual integrity of security pointers disseminated across SATD artefacts is critical to safeguard both commercial and OSS solutions against zero-day attacks.CCS CONCEPTS•Security and privacy → Human and societal aspects of security and privacy; Software security engineering; • Software and its engineering → Maintaining software.
Subjects
self-admitted technical debt
software engineering
software security
technical debt identification
DDC Class
005: Computer Programming, Programs, Data and Security