A Study of The Effectiveness of Code Review in Detecting Security Vulnerabilities
Main Article Content
Abstract
Software flaws pose a severe danger to the security and privacy of computer systems and the people who use them. For software systems to be reliable and available, vulnerabilities must be found and fixed before they may be used against the system. Two popular methods for finding weaknesses in software systems are code review and penetration testing. Which method is better for identifying vulnerabilities, nevertheless, is not widely agreed upon. The usefulness of code reviews and penetration tests in locating vulnerabilities is reviewed in detail in this study. We evaluate much empirical research and contrast the benefits and drawbacks of each method. According to our research, both code reviews and penetration tests are useful for uncovering vulnerabilities, despite the fact that their effectiveness varies based on the kind of vulnerability, the complexity of the code, and the testers’ or reviewers’ experience. Additionally, we discovered that doing both penetration testing and code review together may be more efficient than using each approach alone. These results may help software engineers, security experts, and researchers choose and use the right approach for locating weaknesses in software systems.
Downloads
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
How to Cite
References
J. G. C. &. L.-P. M. M. ACOSTA, "A LITERATURE REVIEW OF VULNERABILITY MANAGEMENT IN INFORMATION SYSTEMS. COMPUTERS SECURITY," PP. 47-65, 2016.
J. &. L. B. Jørgensen, "Software vulnerability remediation with risk‐based prioritization. Journal of Software: Evolution and Process," 2017.
A. R. V. a. H. M. M. Vieira, "A survey on software vulnerability detection using machine learning.," vol. 97, pp. 186-198, 2014.
G. &. O. A. L. Sindre, "Eliciting security requirements with misuse cases. Requirements Engineering," vol. 16, pp. 31-56, 2011.
J. &. H. S. Ruohonen, "The effectiveness of static code analysis: A systematic literature review," vol. 106, pp. 96-115, 2019.
G. &. S. Z. Wassermann, "Static analysis for security," pp. 589-619, 2016.
S. A. K. A. &. M. M. S. Ali, "A systematic literature review on security testing of web applications," vol. 45, pp. 124-142, 2015.
M. P. V. T. R. A. &. S. K. Böhme, "The effectiveness of testing techniques for fault detection: A systematic review and meta-analysis," vol. 52, pp. 1-40, 2019.
D. R. a. F. R. W. Kuhn, "Penetration testing: A hands-on introduction to hacking," 2018.
M. Bishop, "Computer Security: Art and Science," vol. 1st edition, 2002.
W. S. a. K. E. Ehab Al-Shaer, "A survey on vulnerability assessment and penetration testing techniques," vol. 18, pp. 1033-1046, 2016.
N. B. T. a. Z. A. Nagappan, "Mining metrics to predict component failures," pp. 452-461, 2006.
13.Y. B. a. A. F. G.-S. A. Acosta, "An empirical comparison of automated and manual penetration testing," vol. 63, pp. 122-144.
J. C. a. A. Meneely, "The impact of code review coverage and code review participation on software quality: a case study of the qt, vtk, and itk projects," vol. 19, pp. 1024-1060, 2014.
D. Spinellis, "Code reviews and static code analysis: the last line of defense against software vulnerabilities," vol. 34, pp. 92-97, 2017.
M. A. F. A. a. M. A. A.-S. A. M. A. Rizvi, "Effectiveness of software security testing techniques: a systematic review," vol. 123, pp. 155-176, 2017.
J. R. T. a. J. H. Park, "A comparative study of vulnerability detection methods," vol. 30, pp. 1395-1411, 2014.
B. C. a. M. O. Dino Juric, "Combining static and dynamic analysis for software security assessment," pp. 50-62, 2015.
E. B. J. M. B. d. l. P. a. M. Á. R. L. Martínez, "Towards a new integrated approach for web application security testing," vol. 85, pp. 553-566, 2012.
K. M. K. H. a. Y. R. Tari, "An empirical comparison of software vulnerability discovery techniques," vol. 64, pp. 835-847, 2015.
Z. T. A. A. a. A. L. A. Abdul-Rahman, "A comparison of static and dynamic analysis for software vulnerability detection," pp. 912-917.
W. L. a. T. J. T. Chen, "Systematic Identification of Vulnerabilities in Open-Source Software," vol. 17, pp. 674-687, 2020.
L. W. a. R. Kessler, " Pair Programming vs. Up-front Design for Extreme Programming," vol. 19, pp. 62-70, 2002.
A. Ghaznavi-Zadeh, "A Comprehensive Review of Penetration Testing," vol. 7, 2021.
H. Saidani, "Comparative Analysis of Software Vulnerability Assessment Techniques, Journal of Computer Networks and Communications," 2018.
C. L. a. S. Sabetzadeh, "An Empirical Study of Code Review Processes in Open-Source Software Projects," vol. 110, pp. 64-80, 2015.
R. Kazman, "Software Design Review," vol. 55, pp. 129-137, 2012.
K. Stergiopoulos, "Penetration Testing: A Methodology for Enhancing Vulnerability Assessments," vol. 4, pp. 263-271, 2013.
A. A. a. H. Siddiqi, "Penetration Testing Methodologies: A Review," vol. 2, pp. 98-110, 2014.
A. W. L. &. O. J. Meneely, "Software engineering for cybersecurity: A research roadmap," vol. 144, pp. 1-17, 2018.
L. W. a. J. O. M. A. Rahman, "Improving code review efficiency: A study of static analysis and reviewer recommendation," vol. 138, pp. 81-96, 2018.
A. P. a. B. K. A. Zeller, "Code review in the dark," vol. 36, pp. 40-47, 2019.
L. Y. Y. &. L. Y. Wang, "A large-scale empirical study of code review practices in open source projects," vol. 45, pp. 913-935, 2019.
M. I. Ahmed, "Automated code review: A systematic literature review," vol. 144, pp. 163-179, 2018.
S. B. a. J. R. W. N. A. Ernst, "Duration of software code review meetings: An empirical analysis," pp. 514-524, 2019.
P. T. P. a. A. Orso, " Are automated debugging techniques actually helping programmers," pp. 385-394, 2010.
D. H. Shihab, "An Analysis of the Code Review Processes of Open-Source Software Projects," vol. 43, pp. 850-867, 2017.