Can Knowledge of Technical Debt Help Identify Software Vulnerabilities?

Download: Paper.

“Can Knowledge of Technical Debt Help Identify Software Vulnerabilities?” by Robert L. Nord, Ipek Ozkaya, Edward J. Schwartz, Forrest Shull, and Rick Kazman. In Proceedings of the USENIX Workshop on Cyber Security Experimentation and Test, 2016.

Abstract

Software vulnerabilities originating from design decisions are hard to find early and time consuming to fix later. We investigated whether the problematic design decisions themselves might be relatively easier to find, based on the concept of “technical debt,” i.e., design or implementation constructs that are expedient in the short term but make future changes and fixes more costly. If so, can knowing which components contain technical debt help developers identify and manage certain classes of vulnerabilities? This paper provides our approach for using knowledge of technical debt to identify software vulnerabilities that are difficult to find using only static analysis of the code. We present initial findings from a study of the Chromium open source project that motivates the need to examine a combination of evidence: quantitative static analysis of anomalies in code, qualitative classification of design consequences in issue trackers, and software development indicators in the commit history.

Download: Paper.

BibTeX entry:

@inproceedings{nord:2016,
   author = {Robert L. Nord and Ipek Ozkaya and Edward J. Schwartz and
	Forrest Shull and Rick Kazman},
   title = {Can Knowledge of Technical Debt Help Identify Software
	Vulnerabilities?},
   booktitle = {Proceedings of the USENIX Workshop on Cyber Security
	Experimentation and Test},
   year = {2016}
}

(This webpage was created with bibtex2web.)

Back to publications.