Published July 30, 2023 | Version CC BY-NC-ND 4.0
Journal article Open

A Study of The Effectiveness of Code Review in Detecting Security Vulnerabilities

Creators

  • 1. Faculty of Computing, Sri Lanka Institute of Information Technology, Malabe, Sri Lanka.

Contributors

Contact person:

  • 1. Faculty of Computing, Sri Lanka Institute of Information Technology, Malabe, Sri Lanka.

Description

Software flaws pose a severe danger to the security and privacy of computer systems and the people who use them [1]. For software systems to be reliable and available, vulnerabilities must be found and fixed before they may be used against the system [2]. Two popular methods for finding weaknesses in software systems are code review and penetration testing [3]. Which method is better for identifying vulnerabilities, nevertheless, is not widely agreed upon [4]. The usefulness of code reviews and penetration tests in locating vulnerabilities is reviewed in detail in this study. We evaluate much empirical research [5] and contrast the benefits and drawbacks of each method. According to our research, both code reviews and penetration tests are useful for uncovering vulnerabilities [6], despite the fact that their effectiveness varies based on the kind of vulnerability, the complexity of the code, and the testers' or reviewers' experience [7][8]. Additionally, we discovered that doing both penetration testing and code review together may be more efficient than using each approach alone [9]. These results may help software engineers, security experts, and researchers choose and use the right approach for locating weaknesses in software systems.

Notes

Published By: Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP) © Copyright: All rights reserved.

Files

B76710712223.pdf

Files (532.7 kB)

Name Size Download all
md5:0b71dd54757579c6a7a6ec61279fdac8
532.7 kB Preview Download

Additional details

Related works

Is cited by
Journal article: 2277-3878 (ISSN)

References

  • J. G. C. &. L.-P. M. M. ACOSTA, "A LITERATURE REVIEW OF VULNERABILITY MANAGEMENT IN INFORMATION SYSTEMS. COMPUTERS SECURITY," PP. 47-65, 2016.
  • J. &. L. B. Jørgensen, "Software vulnerability remediation with risk‐based prioritization. Journal of Software: Evolution and Process," 2017.
  • A. R. V. a. H. M. M. Vieira, "A survey on software vulnerability detection using machine learning.," vol. 97, pp. 186-198, 2014.
  • G. &. O. A. L. Sindre, "Eliciting security requirements with misuse cases. Requirements Engineering," vol. 16, pp. 31-56, 2011.
  • J. &. H. S. Ruohonen, "The effectiveness of static code analysis: A systematic literature review," vol. 106, pp. 96-115, 2019.
  • G. &. S. Z. Wassermann, "Static analysis for security," pp. 589-619, 2016.
  • S. A. K. A. &. M. M. S. Ali, "A systematic literature review on security testing of web applications," vol. 45, pp. 124-142, 2015.
  • M. P. V. T. R. A. &. S. K. Böhme, "The effectiveness of testing techniques for fault detection: A systematic review and meta-analysis," vol. 52, pp. 1-40, 2019.
  • D. R. a. F. R. W. Kuhn, "Penetration testing: A hands-on introduction to hacking," 2018.
  • M. Bishop, "Computer Security: Art and Science," vol. 1st edition, 2002.
  • W. S. a. K. E. Ehab Al-Shaer, "A survey on vulnerability assessment and penetration testing techniques," vol. 18, pp. 1033-1046, 2016.
  • N. B. T. a. Z. A. Nagappan, "Mining metrics to predict component failures," pp. 452-461, 2006.
  • Y. B. a. A. F. G.-S. A. Acosta, "An empirical comparison of automated and manual penetration testing," vol. 63, pp. 122-144.
  • J. C. a. A. Meneely, "The impact of code review coverage and code review participation on software quality: a case study of the qt, vtk, and itk projects," vol. 19, pp. 1024-1060, 2014.
  • D. Spinellis, "Code reviews and static code analysis: the last line of defense against software vulnerabilities," vol. 34, pp. 92-97, 2017.
  • M. A. F. A. a. M. A. A.-S. A. M. A. Rizvi, "Effectiveness of software security testing techniques: a systematic review," vol. 123, pp. 155-176, 2017.
  • J. R. T. a. J. H. Park, "A comparative study of vulnerability detection methods," vol. 30, pp. 1395-1411, 2014.
  • B. C. a. M. O. Dino Juric, "Combining static and dynamic analysis for software security assessment," pp. 50-62, 2015.
  • E. B. J. M. B. d. l. P. a. M. Á. R. L. Martínez, "Towards a new integrated approach for web application security testing," vol. 85, pp. 553-566, 2012.
  • K. M. K. H. a. Y. R. Tari, "An empirical comparison of software vulnerability discovery techniques," vol. 64, pp. 835-847, 2015.
  • Z. T. A. A. a. A. L. A. Abdul-Rahman, "A comparison of static and dynamic analysis for software vulnerability detection," pp. 912-917.
  • W. L. a. T. J. T. Chen, "Systematic Identification of Vulnerabilities in Open-Source Software," vol. 17, pp. 674-687, 2020.
  • L. W. a. R. Kessler, " Pair Programming vs. Up-front Design for Extreme Programming," vol. 19, pp. 62-70, 2002.
  • A. Ghaznavi-Zadeh, "A Comprehensive Review of Penetration Testing," vol. 7, 2021.
  • H. Saidani, "Comparative Analysis of Software Vulnerability Assessment Techniques, Journal of Computer Networks and Communications," 2018.
  • C. L. a. S. Sabetzadeh, "An Empirical Study of Code Review Processes in Open-Source Software Projects," vol. 110, pp. 64-80, 2015.
  • R. Kazman, "Software Design Review," vol. 55, pp. 129-137, 2012.
  • K. Stergiopoulos, "Penetration Testing: A Methodology for Enhancing Vulnerability Assessments," vol. 4, pp. 263-271, 2013.
  • A. A. a. H. Siddiqi, "Penetration Testing Methodologies: A Review," vol. 2, pp. 98-110, 2014.
  • A. W. L. &. O. J. Meneely, "Software engineering for cybersecurity: A research roadmap," vol. 144, pp. 1-17, 2018.
  • L. W. a. J. O. M. A. Rahman, "Improving code review efficiency: A study of static analysis and reviewer recommendation," vol. 138, pp. 81-96, 2018.
  • A. P. a. B. K. A. Zeller, "Code review in the dark," vol. 36, pp. 40-47, 2019.
  • L. Y. Y. &. L. Y. Wang, "A large-scale empirical study of code review practices in open source projects," vol. 45, pp. 913-935, 2019.
  • M. I. Ahmed, "Automated code review: A systematic literature review," vol. 144, pp. 163-179, 2018.
  • S. B. a. J. R. W. N. A. Ernst, "Duration of software code review meetings: An empirical analysis," pp. 514-524, 2019.
  • P. T. P. a. A. Orso, " Are automated debugging techniques actually helping programmers," pp. 385-394, 2010.
  • D. H. Shihab, "An Analysis of the Code Review Processes of Open-Source Software Projects," vol. 43, pp. 850-867, 2017.
  • S. K. a. H. K. K. S. Y. Shin, "Combining Static and Dynamic Analysis for Web Application Security Assessment," vol. 12, 2016.
  • M. V. Tripunitara, "Testing for Security: An Overview," vol. 47, pp. 1-37, 2015.
  • G. McGraw, "Software Security Testing: Do We Really Know How to Do This Stuff," vol. 2, pp. 83-86, 2004.
  • B. H. E. R. M. F. A. M. D. W. A. Edmundson, "An Empirical Study on the Effectiveness of Security Code Review".
  • C. A. G. Ç. A. B. L. Braz, "Less is More: Supporting Developers in Vulnerability Detection during Code Review," 2022.
  • "Secure Code Review," Application Security.
  • Y. C. H. X. S. W. a. J. L. Xinyu Yang, "Empirical evaluation of the effectiveness of code review for finding security vulnerabilities in web applications," no. 28, pp. 1058-1071, 2013.
  • M. S. H. B. M. &. B. M. Kessentini, "A systematic review of software fault prediction approaches. Journal of Systems and Softwar," vol. 83, pp. 1378-1396, 2010.
  • D. Litchfield, "Google Hacking for Penetration Testers," 2005.
  • K. Arvanitakis, S. Mitropoulos and S. Kontogiannis, " A comparative study of code review and penetration testing in web application security," vol. 3, pp. 235-243, 2012.
  • M. K. M. &. O. M. Ferruh, "A comparative study of penetration testing tools," pp. 483-488, 2012.
  • J. &. M. D. DeMott, "The limits of automated web application security scanners," pp. 421-430, 2008.
  • D. H. M. &. A.-A. M. A. Al-Qudah, "A comparative study of code review and testing for finding software defects," pp. 785-795, 2014.
  • W. H. T. &. G. J. Zou, "An empirical study on the effectiveness of code review for finding security vulnerabilities in Android applications," pp. 36-51, 2016.
  • R. M. R. e. al., "Comparative study of code review and penetration testing for detecting security vulnerabilities in software," pp. 1-6, 2021.
  • M. F. K. e. al., "Comparing code review and penetration testing as vulnerability detection techniques," pp. 1-6, 2019.
  • H. A. K. a. H. M. Abbas, "A comparative study of code review and penetration testing," pp. 191-196, 2018.
  • M. A. A. Q. e. al, "Code review versus penetration testing: A comparative analysis," pp. 1-5, 2018.

Subjects

ISSN: 2277-3878 (Online)
https://portal.issn.org/resource/ISSN/2277-3878#
Retrieval Number: 100.1/ijrte.B76710712223
https://www.ijrte.org/portfolio-item/B76710712223/
Journal Website: www.ijrte.org
https://www.ijrte.org/
Publisher: Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP)
https://www.blueeyesintelligence.org/