Header

UZH-Logo

Maintenance Infos

Why Don’t Developers Detect Improper Input Validation?


Braz, Larissa; Fregnan, Enrico; Çalikli, Gül; Bacchelli, Alberto (2021). Why Don’t Developers Detect Improper Input Validation? In: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, ES, 22 May 2021 - 30 May 2021. IEEE, 499-511.

Abstract

Improper Input Validation (IIV) is a software vulnerability that occurs when a system does not safely handle input data. Even though IIV is easy to detect and fix, it still commonly happens in practice. In this paper, we study to what extent developers can detect IIV and investigate underlying reasons. This knowledge is essential to better understand how to support developers in creating secure software systems. We conduct an online experiment with 146 participants, of which 105 report at least three years of professional software development experience. Our results show that the existence of a visible attack scenario facilitates the detection of IIV vulnerabilities and that a significant portion of developers who did not find the vulnerability initially could identify it when warned about its existence. Yet, a total of 60 participants could not detect the vulnerability even after the warning. Other factors, such as the frequency with which the participants perform code reviews, influence the detection of IIV. Preprint: https://arxiv.org/abs/2102.06251. Data and materials: https://doi.org/10.5281/zenodo.3996696.

Abstract

Improper Input Validation (IIV) is a software vulnerability that occurs when a system does not safely handle input data. Even though IIV is easy to detect and fix, it still commonly happens in practice. In this paper, we study to what extent developers can detect IIV and investigate underlying reasons. This knowledge is essential to better understand how to support developers in creating secure software systems. We conduct an online experiment with 146 participants, of which 105 report at least three years of professional software development experience. Our results show that the existence of a visible attack scenario facilitates the detection of IIV vulnerabilities and that a significant portion of developers who did not find the vulnerability initially could identify it when warned about its existence. Yet, a total of 60 participants could not detect the vulnerability even after the warning. Other factors, such as the frequency with which the participants perform code reviews, influence the detection of IIV. Preprint: https://arxiv.org/abs/2102.06251. Data and materials: https://doi.org/10.5281/zenodo.3996696.

Statistics

Citations

Dimensions.ai Metrics
15 citations in Web of Science®
19 citations in Scopus®
Google Scholar™

Altmetrics

Downloads

169 downloads since deposited on 25 Oct 2021
64 downloads since 12 months
Detailed statistics

Additional indexing

Other titles:DROP TABLE Papers
Item Type:Conference or Workshop Item (Paper), refereed, original work
Communities & Collections:03 Faculty of Economics > Department of Informatics
Dewey Decimal Classification:000 Computer science, knowledge & systems
Scope:Discipline-based scholarship (basic research)
Language:English
Event End Date:30 May 2021
Deposited On:25 Oct 2021 05:43
Last Modified:06 Mar 2024 14:36
Publisher:IEEE
ISBN:978-1-6654-0296-5
OA Status:Green
Free access at:Publisher DOI. An embargo period may apply.
Publisher DOI:https://doi.org/10.1109/ICSE43902.2021.00054
Related URLs:https://arxiv.org/pdf/2102.06251.pdf
Other Identification Number:merlin-id:21599
  • Content: Published Version