Abstract
[Background]: Slicing has been first introduced to support debugging as a fault localization technique. Yet, program slicing as support for identifying vulnerabilities during code inspection has received limited attention. [Aims]: Evaluate the effectiveness of slicing as a general concept to support code inspectors while detecting vulnerabilities into source code. [Method]: We designed a controlled experiment which goal is identifying the vulnerable lines in original or sliced Java files from Apache Tomcat. The designed treatments differ in the pair (Vulnerability, Original/Sliced file) with a balanced design with four vulnerabilities from the OWASP Top 10. The participants are MSc students attending security courses (n = 236). [Observations]: By using a notion of neighborhood based on the context size of the command git diff we observed that slicing helps in 'finding something' as opposed to 'finding nothing'. However, once some correct lines have been found, analyzing a slice and analyzing the original file are statistically equivalent.
Original language | English |
---|---|
Title of host publication | ICSE-Companion 2024 |
Subtitle of host publication | Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings |
Publisher | IEEE Computer Society |
Pages | 368-369 |
Number of pages | 2 |
ISBN (Electronic) | 9798400705021 |
DOIs | |
Publication status | Published - 2024 |
Event | 46th International Conference on Software Engineering: Companion, ICSE-Companion 2024 - Lisbon, Portugal Duration: 14 Apr 2024 → 20 Apr 2024 |
Publication series
Name | Proceedings - International Conference on Software Engineering |
---|---|
ISSN (Print) | 0270-5257 |
Conference
Conference | 46th International Conference on Software Engineering: Companion, ICSE-Companion 2024 |
---|---|
Country/Territory | Portugal |
City | Lisbon |
Period | 14/04/24 → 20/04/24 |
Bibliographical note
Publisher Copyright:© 2024 IEEE Computer Society. All rights reserved.
Keywords
- code inspection
- controlled experiment
- program comprehension
- slicing
- Vulnerabilities