Comparing the Effectiveness of Software Testing Strategies
IEEE Transactions on Software Engineering
Software defect-removal efficiency
Computer
APSEC '00 Proceedings of the Seventh Asia-Pacific Software Engineering Conference
An experiment to assess cost-benefits of inspection meetings and their alternatives: a pilot study
METRICS '96 Proceedings of the 3rd International Symposium on Software Metrics: From Measurement to Empirical Results
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
SecuBat: a web vulnerability scanner
Proceedings of the 15th international conference on World Wide Web
Sound and precise analysis of web applications for injection vulnerabilities
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Securing web applications with static and dynamic information flow tracking
PEPM '08 Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation
Testing the Value of Checklists in Code Inspections
IEEE Software
Automatic creation of SQL Injection and cross-site scripting attacks
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Design and code inspections to reduce errors in program development
IBM Systems Journal
State of the Art: Automated Black-Box Web Application Vulnerability Testing
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Impact of maintainability defects on code inspections
Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement
An approach to improving software inspections performance
ICSM '10 Proceedings of the 2010 IEEE International Conference on Software Maintenance
Exploring the relationship betweenweb application development tools and security
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
An empirical study of vulnerability rewards programs
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
With the rise of the web as a dominant application platform, web security vulnerabilities are of increasing concern. Ideally, the web application development process would detect and correct these vulnerabilities before they are released to the public. This research aims to quantify the effectiveness of software developers at security code review as well as determine the variation in effectiveness among web developers. We hired 30 developers to conduct a manual code review of a small web application. The web application supplied to developers had seven known vulnerabilities, including three different types: Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection. Our findings include: (1) none of the subjects found all confirmed vulnerabilities, (2) more experience does not necessarily mean that the reviewer will be more accurate or effective, and (3) reports of false vulnerabilities were significantly correlated with reports of valid vulnerabilities.