Header

UZH-Logo

Maintenance Infos

Software security during modern code review: The developer’s perspective


Braz, Larissa; Bacchelli, Alberto (2022). Software security during modern code review: The developer’s perspective. In: ESEC/FSE '22: 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Singapore Singapore, 14 December 2022 - 18 December 2022. ACM, 810-821.

Abstract

To avoid software vulnerabilities, organizations are shifting security to earlier stages of the software development, such as at code review time. In this paper, we aim to understand the developers’ perspective on assessing software security during code review, the challenges they encounter, and the support that companies and projects provide. To this end, we conduct a two-step investigation: we interview 10 professional developers and survey 182 practitioners about software security assessment during code review. The outcome is an overview of how developers perceive software security during code review and a set of identified challenges. Our study revealed that most developers do not immediately report to focus on security issues during code review. Only after being asked about software security, developers state to always consider it during review and acknowledge its importance. Most companies do not provide security training, yet expect developers to still ensure security during reviews. Accordingly, developers report the lack of training and security knowledge as the main challenges they face when checking for security issues. In addition, they have challenges with third-party libraries and to identify interactions between parts of code that could have security implications. Moreover, security may be disregarded during reviews due to developers’ assumptions about the security dynamic of the application they develop.

Abstract

To avoid software vulnerabilities, organizations are shifting security to earlier stages of the software development, such as at code review time. In this paper, we aim to understand the developers’ perspective on assessing software security during code review, the challenges they encounter, and the support that companies and projects provide. To this end, we conduct a two-step investigation: we interview 10 professional developers and survey 182 practitioners about software security assessment during code review. The outcome is an overview of how developers perceive software security during code review and a set of identified challenges. Our study revealed that most developers do not immediately report to focus on security issues during code review. Only after being asked about software security, developers state to always consider it during review and acknowledge its importance. Most companies do not provide security training, yet expect developers to still ensure security during reviews. Accordingly, developers report the lack of training and security knowledge as the main challenges they face when checking for security issues. In addition, they have challenges with third-party libraries and to identify interactions between parts of code that could have security implications. Moreover, security may be disregarded during reviews due to developers’ assumptions about the security dynamic of the application they develop.

Statistics

Citations

Dimensions.ai Metrics
3 citations in Web of Science®
5 citations in Scopus®
Google Scholar™

Altmetrics

Downloads

39 downloads since deposited on 13 Mar 2023
31 downloads since 12 months
Detailed statistics

Additional indexing

Item Type:Conference or Workshop Item (Paper), refereed, original work
Communities & Collections:03 Faculty of Economics > Department of Informatics
Dewey Decimal Classification:000 Computer science, knowledge & systems
Scopus Subject Areas:Physical Sciences > Artificial Intelligence
Physical Sciences > Software
Uncontrolled Keywords:code review, security, software vulnerabilities
Scope:Discipline-based scholarship (basic research)
Language:English
Event End Date:18 December 2022
Deposited On:13 Mar 2023 08:42
Last Modified:06 Mar 2024 14:39
Publisher:ACM
ISBN:9781450394130
OA Status:Hybrid
Publisher DOI:https://doi.org/10.1145/3540250.3549135
Other Identification Number:merlin-id:23367
  • Content: Published Version
  • Language: English