An empirical study on the effectiveness of security code review

Authors:
Anne Edmundson;Brian Holtkamp;Emanuel Rivera;Matthew Finifter;Adrian Mettler;David Wagner
Affiliations:
Cornell University, Ithaca, NY;University of Houston---Downtown, Houston, TX;Polytechnic University of Puerto Rico, San Juan, Puerto Rico;University of California, Berkeley, CA;University of California, Berkeley, CA;University of California, Berkeley, CA
Venue:
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Year:
2013

Citing 16
Cited 1

Comparing the Effectiveness of Software Testing Strategies

IEEE Transactions on Software Engineering
Software defect-removal efficiency

Computer
Analysis of the impact of reading technique and inspector capability on individual inspection performance

APSEC '00 Proceedings of the Seventh Asia-Pacific Software Engineering Conference
An experiment to assess cost-benefits of inspection meetings and their alternatives: a pilot study

METRICS '96 Proceedings of the 3rd International Symposium on Software Metrics: From Measurement to Empirical Results
Securing web application code by static analysis and runtime protection

Proceedings of the 13th international conference on World Wide Web
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
SecuBat: a web vulnerability scanner

Proceedings of the 15th international conference on World Wide Web
Sound and precise analysis of web applications for injection vulnerabilities

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Securing web applications with static and dynamic information flow tracking

PEPM '08 Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation
Testing the Value of Checklists in Code Inspections

IEEE Software
Automatic creation of SQL Injection and cross-site scripting attacks

ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Design and code inspections to reduce errors in program development

IBM Systems Journal
State of the Art: Automated Black-Box Web Application Vulnerability Testing

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Impact of maintainability defects on code inspections

Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement
An approach to improving software inspections performance

ICSM '10 Proceedings of the 2010 IEEE International Conference on Software Maintenance
Exploring the relationship betweenweb application development tools and security

WebApps'11 Proceedings of the 2nd USENIX conference on Web application development

An empirical study of vulnerability rewards programs

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

With the rise of the web as a dominant application platform, web security vulnerabilities are of increasing concern. Ideally, the web application development process would detect and correct these vulnerabilities before they are released to the public. This research aims to quantify the effectiveness of software developers at security code review as well as determine the variation in effectiveness among web developers. We hired 30 developers to conduct a manual code review of a small web application. The web application supplied to developers had seven known vulnerabilities, including three different types: Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection. Our findings include: (1) none of the subjects found all confirmed vulnerabilities, (2) more experience does not necessarily mean that the reviewer will be more accurate or effective, and (3) reports of false vulnerabilities were significantly correlated with reports of valid vulnerabilities.