Document Open Access Logo

To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education

Authors Andrei-Cristian Iosif , Tiago Espinha Gasiba , Ulrike Lechner , Maria Pinto-Albuquerque

PDF
Thumbnail PDF

File

OASIcs.ICPEC.2024.16.pdf
  • Filesize: 0.58 MB
  • 12 pages

Document Identifiers

Author Details

Andrei-Cristian Iosif
  • Universität der Bundeswehr München, Germany
  • Siemens AG, München, Germany
Tiago Espinha Gasiba
  • Siemens AG, München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Maria Pinto-Albuquerque
  • Instituto Universitário de Lisboa (ISCTE-IUL), ISTAR, Portugal

Funding

This work is partially financed by Portuguese national funds through FCT – Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and FCT UIDP/04466/2020. Furthermore, the third author thanks the Instituto Universitário de Lisboa and ISTAR, for their support. We acknowledge funding for project LIONS by dtec.bw. Andrei-Cristian Iosif and Tiago Gasiba acknowledge the funding provided by the Bundesministerium für Bildung und Forschung (BMBF) for the project CONTAIN (FKZ 13N16585).

Acknowledgements

The authors would like to thank Kaan Oguzhan for aiding in data collection, and also for the helpful, insightful, and constructive comments and discussions about the present work.

Cite AsGet BibTex

Andrei-Cristian Iosif, Tiago Espinha Gasiba, Ulrike Lechner, and Maria Pinto-Albuquerque. To Kill a Mocking Bug: Open Source Repo Mining of Security Patches for Programming Education. In 5th International Computer Programming Education Conference (ICPEC 2024). Open Access Series in Informatics (OASIcs), Volume 122, pp. 16:1-16:12, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2024)
https://doi.org/10.4230/OASIcs.ICPEC.2024.16

Abstract

The use of third-party components (TPCs) and open-source software (OSS) has become increasingly popular in software development, and this trend has also increased the chance of detecting security vulnerabilities. Understanding practical recurring vulnerabilities that occur in real-world applications (TPCs and OSS) is a very important step to educate not only aspiring software developers, but also seasoned ones. To achieve this goal, we analyze publicly available OSS software on GitHub to identify the most common security vulnerabilities and their frequency of occurrence between 2009 and 2022. Our work looks at programming language and type of vulnerability and also analyses the number of code lines needed to be changed to fix different vulnerabilities. Furthermore, our work contributes to the understanding of real-world and human-made data quality required for training machine learning algorithms by highlighting the importance of homogeneous and complete data. We provide insights for both developers and researchers seeking to improve cybersecurity in software education and mitigate risks associated with OSS and TPCs. Finally, our analysis contributes to software education by shedding light on common sources of poor code quality and the effort required to fix different vulnerabilities.

Subject Classification

ACM Subject Classification
  • Security and privacy → Software and application security
  • Software and its engineering → Collaboration in software development
  • Information systems → Open source software
  • Security and privacy → Vulnerability management
Keywords
  • Open-source software
  • Software quality
  • Cybersecurity
  • Repository Mining

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

References

  1. North Bridge / Blackduck. https://tinyurl.com/blackduck2k15. [Accessed: 24 Apr. 2024].
  2. Department of Homeland Security, US-CERT. Software Assurance. Online, Accessed 27 September 2020. URL: https://tinyurl.com/y6pr9v42.
  3. GitHub Octoverse. Top programming languages in 2022. https://tinyurl.com/octoverse2k22, 2022. [Accessed: 4 Apr. 2024].
  4. Emanuele Iannone, Zadia Codabux, Valentina Lenarduzzi, Andrea De Lucia, and Fabio Palomba. Rubbing salt in the wound? a large-scale investigation into the effects of refactoring on security. Empirical Software Engineering, 28(4), May 2023. URL: https://doi.org/10.1007/s10664-023-10287-x.
  5. International Electrotechnical Commission. IEC 62443-4-1 - Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements. Technical report, International Electrotechnical Commission, Geneval Switzerland, January 2018. Google Scholar
  6. International Organization for Standardization. ISO/IEC 25000:2014 - Systems and Software Engineering - Systems and Software Quality Requirements and Evaluation (SQuaRE) - Guide to SQuaRE. Technical report, International Organization for Standardization, Geneva, CH, March 2014. URL: http://iso25000.com/index.php/en/iso-25000-standards.
  7. Frank Li and Vern Paxson. A large-scale empirical study of security patches. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS '17, pages 2201-2215, New York, NY, USA, 2017. ACM. URL: https://doi.org/10.1145/3133956.3134072.
  8. Microsoft. Morgan Stanley Technology, Media & Telecom Conference - FY2023. https://tinyurl.com/ynepy7jw, 2023. Accessed: 15. Apr. 2024.
  9. MITRE. CVE-2014-6271. https://tinyurl.com/4dk6yfzp. [Accessed: 15 April 2024].
  10. MITRE. CVE-2015-0204. https://tinyurl.com/3prfckfj. [Accessed: 15 Apr. 2024].
  11. MITRE. CVE-2021-44228. https://tinyurl.com/2dejmr3e. [Accessed: 15 Apr. 2024].
  12. MITRE. Common Weakness Enumeration. cwe.mitre.org, 2023. [Accessed: 22 Apr. 2024].
  13. National Security Agency Center for Assured Software. Juliet Test Suite C/C++ 1.3. https://tinyurl.com/bdd9csvz, 2023. [Accessed: 20 Apr. 2023].
  14. Stephen O'Grady. The redmonk programming language rankings: June 2022. https://tinyurl.com/4xpdr83z, 2022. [Accessed: 20 Apr. 2024].
  15. Kaan Oguzhan, Tiago Espinha Gasiba, and Akram Louati. How good is openly available code snippets containing software vulnerabilities to train machine learning algorithms? In CYBER 2022, The Seventh International Conference on Cyber-Technologies and Cyber-Systems, volume ISBN: 978-1-61208-996-6, pages 25-33. ThinkMind, 2022. [ISSN: 2519-8599]. Google Scholar
  16. TIOBE. Tiobe index. https://tiobe.com/tiobe-index/, 2023. [Accessed: 25 Apr. 2024].
  17. Song Wang and Nachiappan Nagappan. Characterizing and understanding software developer networks in security development. In 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE), pages 534-545, 2021. URL: https://doi.org/10.1109/ISSRE52982.2021.00061.
  18. Xinda Wang, Shu Wang, Pengbin Feng, Kun Sun, and Sushil Jajodia. Patchdb: A large-scale security patch dataset. In 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pages 149-160, 2021. URL: https://doi.org/10.1109/DSN48987.2021.00030.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail
© 2023-2024 Schloss Dagstuhl – LZI GmbH Imprint Privacy Contact