Abstract
It is vitally important to fix quality issues in security-critical code as they may be sources of vulnerabilities in the future. These quality issues may increase the attack surface if they are not quickly refactored. In this paper, we use the history of vulnerabilities and security bug reports along with a set of keywords to automatically identify a project’s security-critical files based on its source code, bug reports, pull-request descriptions and commit messages. After identifying these security-related files, we estimate their risks using static analysis to check their coupling with other project components. Then, our approach recommends refactorings to prioritize fixing quality issues in these security-critical files to improve quality attributes and remove identified code smells. To find a trade-off between the quality issues and security-critical files, we adopted a multi-objective search strategy. We evaluated our approach on six open source projects and one industrial system to check the correctness and relevance of the refactorings targeting security critical code. The results of our survey with practitioners supports our hypothesis that quality and security need to be considered together to provide relevant refactoring recommendations.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abid, C., Kessentini, M., Alizadeh, V., Dhouadi, M., Kazman, R.: How does refactoring impact security when improving quality? A security-aware refactoring approach. IEEE Trans. Softw. Eng
Agrawal, A., Khan, R.: Role of coupling in vulnerability propagation. Softw. Eng. 2(1), 60–68 (2012)
Agrawal, A., Khan, R.: Assessing impact of cohesion on security-an object oriented design perspective. Pensee 76(2), 161–167 (2014)
Alizadeh, V., Kessentini, M.: Reducing interactive refactoring effort via clustering-based multi-objective search. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 464–474. ACM (2018)
Alizadeh, V., Kessentini, M., Mkaouer, W., Ocinneide, M., Ouni, A., Cai, Y.: An interactive and dynamic search-based approach to software refactoring recommendations. IEEE Trans. Softw. Eng. 46(9), 932–961 (2018)
Alshammari, B., Fidge, C., Corney, D.: Security metrics for object-oriented class designs. In: 9th International Conference on Quality Software, 2009. QSIC’09, pp. 11–20. IEEE (2009)
Alshammari, B., Fidge, C., Corney, D.: Security metrics for object-oriented designs. In: Software Engineering Conference (ASWEC), 2010 21st Australian, pp. 55–64. IEEE (2010a)
Alshammari, B., Fidge, C., Corney, D.: Assessing the impact of refactoring on security-critical object-oriented designs. In: Asia Pacific Software Engineering Conference, pp. 186–195. IEEE (2010b)
Arcuri, A., Briand, L.: A practical guide for using statistical tests to assess randomized algorithms in software engineering. In: 2011 33rd International Conference on Software Engineering (ICSE), pp. 1–10. IEEE (2011)
Bansiya, J., Davis, C.G.: A hierarchical model for object-oriented design quality assessment. IEEE Trans. Softw. Eng. 28(1), 4–17 (2002)
Bouillon, P., Großkinsky, E., Steimann, F.: Controlling accessibility in agile projects with the access modifier modifier. In: International Conference on Objects, Components, Models and Patterns, pp. 41–59. Springer (2008)
Brown, W.H., Malveau, R.C., McCormick, H.W., Mowbray, T.J.: AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis. Wiley, Hoboken (1998)
Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57(3), 294–313 (2011)
Chowdhury, I., Chan, B., Zulkernine, M.: Security metrics for source code structures. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, pp. 57–64. ACM (2008)
Cinnéide, M.Ó, Tratt, L., Harman, M., Counsell, S., Moghadam, I.H.: Experimental assessment of software metrics using automated refactoring. In: Proceedings of the ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 49–58. ACM (2012)
Cusumano, M.A.: Who is liable for bugs and security flaws in software? Commun. ACM 47(3), 25–27 (2004)
Cve vulnerability data. https://www.cvedetails.com/ (2021)
CWE - 398: Indicator of Poor Code Quality. https://www.cvedetails.com/cwe-details/398/Indicator-of-Poor-Code-Quality.html (2009)
Deb, K., Pratap, A., Agarwal, S., Meyarivan, T.: A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Trans. Evol. Comput. 6(2), 182–197 (2002)
Fokaefs, M., Tsantalis, N., Stroulia, E., Chatzigeorgiou, A.: Jdeodorant: identification and application of extract class refactorings. In: 2011 33rd International Conference on Software Engineering (ICSE), pp. 1037–1039. IEEE (2011)
Fowler, M.: Refactoring: Improving the Design of Existing Code. Addison-Wesley Professional, Boston (2018)
Ghaith, S., Cinnéide, M.Ó.: Improving software security using search-based refactoring. In: International Symposium on Search Based Software Engineering, pp. 121–135. Springer (2012)
Grothoff, C., Palsberg, J., Vitek, J.: Encapsulating objects with confined types. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(6), 32 (2007)
Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for java. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC ’05, pp. 303–311. IEEE Computer Society (2005)
Han, J., Zheng, Y.: Security characterisation and integrity assurance for software components and component-based systems. In: Proceedings of 1998 Australasian Workshop on Software Architectures, Melbourne, pp. 83–89 (1998)
Harman, M., Jones, B.F.: Search-based software engineering. Inf. Softw. Technol. 43(14), 833–839 (2001)
Harman, M., Tratt, L.: Pareto optimal search based refactoring at the design level. In: Proceedings of the 9th Annual Conference on Genetic and Evolutionary Computation, pp. 1106–1113. ACM (2007)
Huang, K., Zhang, J., Tan, W., Feng, Z.: Shifting to mobile: network-based empirical study of mobile vulnerability market. IEEE Trans. Serv. Comput. 13(1), 144–157 (2016)
Jensen, A.C., Cheng, B.H.: On the use of genetic programming for automated refactoring and the introduction of design patterns. In: Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation, pp. 1341–1348. ACM (2010)
Kobori, K., Matsushita, M., Inoue, K.: Evolution analysis for accessibility excessiveness in java. In: 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER), pp. 83–90. IEEE (2015)
Krsul, I.V.: Software Vulnerability Analysis. Purdue University, West Lafayette (1998)
Kessentini, M., Wimmer, M., Sahraoui, H., Boukadoum, M.: Generating transformation rules from examples for behavioral models. In: Proceedings of the Second International Workshop on Behaviour Modelling: Foundation and Applications, p. 2. ACM (2010)
Kessentini, M., Kessentini, W., Sahraoui, H., Boukadoum, M., Ouni, A.: Design defects detection and correction by example. In: 2011 IEEE 19th International Conference on Program Comprehension, pp. 81–90. IEEE (2011)
Kessentini, W., Wimmer, M., Sahraoui, H.: Integrating the designer in-the-loop for metamodel/model co-evolution via interactive computational search. In: Proceedings of the 21th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS ’18, pp. 101–111. ACM, New York, NY, USA (2018). https://doi.org/10.1145/3239372.3239375
Lee, S., Bae, G., Chae, H.S., Bae, D.-H., Kwon, Y.R.: Automated scheduling for clone-based refactoring using a competent GA. Softw. Pract. Exp. 41(5), 521–550 (2011)
Lin, Y., Peng, X., Cai, Y., Dig, D., Zheng, D., Zhao, W.: Interactive and guided architectural refactoring with search-based recommendation. In: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 535–546. ACM, (2016)
Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium—Volume 14, SSYM’05, p. 18. USENIX Association (2005)
Mansoor, U., Kessentini, M., Wimmer, M., Deb, K.: Multi-view refactoring of class and activity diagrams using a multi-objective evolutionary algorithm. Softw. Qual. J. 25(2), 473–501 (2017)
Maruyama, K., Omori, T.: A security-aware refactoring tool for java programs. In: Proceedings of the 4th Workshop on Refactoring Tools, pp. 22–28. ACM (2011)
Mkaouer, M.W., Kessentini, M., Bechikh, S., Cinnéide, M.Ó.: A robust multi-objective approach for software refactoring under uncertainty. In: International Symposium on Search Based Software Engineering, pp. 168–183. Springer (2014a)
Mkaouer, M.W., Kessentini, M., Bechikh, S., Deb, K., Cinnéide, M.Ó: Recommendation system for software refactoring using innovization and interactive dynamic optimization. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, pp. 331–336. ACM (2014b)
Mkaouer, W., Kessentini, M., Shaout, A., Koligheu, P., Bechikh, S., Deb, K., Ouni, A.: Many-objective software remodularization using NSGA-III. ACM Trans. Softw. Eng. Methodol. (TOSEM) 24(3), 17 (2015)
Mkaouer, M.W., Kessentini, M., Bechikh, S., Cinnéide, M.Ó., Deb, K.: On the use of many quality attributes for software refactoring: a many-objective search-based software engineering approach. Empir. Softw. Eng. 21(6), 2503–2545 (2016)
Mkaouer, M.W., Kessentini, M., Cinnéide, M.Ó., Hayashi, S., Deb, K.: A robust multi-objective approach to balance severity and importance of refactoring opportunities. Empir. Softw. Eng. 22(2), 894–927 (2017)
Müller, A.: Bytecode analysis for checking java access modifiers. In: Work in Progress and Poster Session, 8th Int. Conf. on Principles and Practice of Programming in Java (PPPJ 2010), Vienna, Austria, pp. 1–4 (2010)
Mumtaz, H., Alshayeb, M., Mahmood, S., Niazi, M.: An empirical study to improve software security through the application of code refactoring. Inf. Softw. Technol. 96, 112–125 (2018)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S. Van, Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pp. 736–747. ACM (2012)
Nuuo cms. https://www.cvedetails.com/cve/CVE-2018-17890/ (2018)
O’Keeffe, M., Cinnéide, M.O.: Search-based refactoring for software maintenance. J. Syst. Softw. 81(4), 502–516 (2008)
Opdyke, W.F.: Refactoring object-oriented frameworks. Ph.D. thesi, University of Illinois at Urbana-Champaign Champaign, IL, USA (1992)
Ouni, A., Kessentini, M., Sahraoui, H.: Search-based refactoring using recorded code changes. In: 2013 17th European Conference on Software Maintenance and Reengineering, pp. 221–230. IEEE (2013a)
Ouni, A., Kessentini, M., Sahraoui, H., Hamdi, M.S.: The use of development history in software refactoring using a multi-objective evolutionary algorithm. In: Proceedings of the 15th annual conference on Genetic and evolutionary computation, pp. 1461–1468. ACM (2013b)
Ouni, A., Kessentini, M., Sahraoui, H., Inoue, K., Hamdi, M.S.: Improving multi-objective code-smells correction using development history. J. Syst. Softw. 105, 18–39 (2015)
Ouni, A., Kessentini, M., Sahraoui, H., Inoue, K., Deb, K.: Multi-criteria code refactoring using search-based software engineering: an industrial case study. ACM Trans. Softw. Eng. Methodol. (TOSEM) 25(3), 23 (2016)
Ouni, A., Kessentini, M., Cinnéide, M.Ó., Sahraoui, H., Deb, K., Inoue, K.: More: a multi-objective refactoring recommendation approach to introducing design patterns and fixing code smells. J. Softw. Evol. Process 29(5), e1843 (2017)
Palomba, F., Lucia, A. De, Bavota, G., Oliveto, R.: Anti-pattern detection: methods, challenges, and open issues. In: Advances in Computers, vol. 95, pp. 201–238. Elsevier (2014)
Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Softw. Eng. 40(10), 993–1006 (2014)
Seng, O., Stammel, J., Burkhart, D.: Search-based determination of refactorings for improving the class structure of object-oriented systems. In: Proceedings of the 8th Annual Conference on Genetic and Evolutionary Computation, pp. 1909–1916. ACM (2006)
Shatnawi, R., Li, W.: An empirical assessment of refactoring impact on software quality using a hierarchical quality model. Int. J. Softw. Eng. Appl. 5(4), 127–149 (2011)
Srivastava, A.K., Kumar, S.: An effective computational technique for taxonomic position of security vulnerability in software development. J. Comput. Sci. 25, 388–396 (2018)
Steimann, F., Thies, A.: From public to private to absent: refactoring java programs under constrained accessibility. In: European Conference on Object-Oriented Programming, pp. 419–443. Springer (2009)
Tang, Y., Zhao, F., Yang, Y., Lu, H., Zhou, Y., Xu, B.: Predicting vulnerable components via text mining or software metrics? An effort-aware perspective. In: 2015 IEEE International Conference on Software Quality, Reliability and Security, pp. 27–36. IEEE (2015)
Tsantalis, N., Chatzigeorgiou, A.: Ranking refactoring suggestions based on historical volatility. In: 2011 15th European Conference on Software Maintenance and Reengineering, pp. 25–34. IEEE (2011)
Vidal, S.A., Marcos, C., Díaz-Pace, J.A.: An approach to prioritize code smells for refactoring. Autom. Softw. Eng. 23(3), 501–532 (2016a)
Vidal, S.A., Bergel, A., Marcos, C., Díaz-Pace, J.A.: Understanding and addressing exhibitionism in java empirical research about method accessibility. Empir. Softw. Eng. 21(2), 483–516 (2016b)
Vidal, S., Bergel, A., Díaz-Pace, J.A., Marcos, C.: Over-exposed classes in java: an empirical study. Comput. Lang. Syst. Struct. 46, 1–19 (2016c)
Walden, J., Stuckman, J., Scandariato, R.: Predicting vulnerable components: software metrics vs text mining. In: IEEE 25th International Symposium on Software Reliability Engineering, pp. 23–33. IEEE (2014)
Wang, W., Mahakala, K.R., Gupta, A., Hussein, N., Wang, Y.: A linear classifier based approach for identifying security requirements in open source software development. J. Ind. Inf. Integr. 14, 34–40 (2018)
Wright, J.L., McQueen, M., Wellman, L.: Analyses of two end-user software vulnerability exposure metrics (extended version). Inf. Secur. Tech. Rep. 17(4), 173–184 (2013)
Yu, L., Pan, Y., Wu, Y.: Research on data normalization methods in multi-attribute evaluation. In: 2009 International Conference on Computational Intelligence and Software Engineering, pp. 1–5. IEEE (2009)
Zazworka, N., Seaman, C., Shull, F.: Prioritizing design debt investment opportunities. In: Proceedings of the 2nd Workshop on Managing Technical Debt, pp. 39–42. ACM (2011)
Zoller, C., Schmolitzky, A.: Measuring inappropriate generosity with access modifiers in java systems. In: 2012 Joint Conference of the 22nd International Workshop on Software Measurement and the 2012 Seventh International Conference on Software Process and Product Measurement, pp. 43–52. IEEE (2012)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Abid, C., Alizadeh, V., Kessentini, M. et al. Prioritizing refactorings for security-critical code. Autom Softw Eng 28, 4 (2021). https://doi.org/10.1007/s10515-021-00281-2
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10515-021-00281-2