Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security

Software refactoring is a behavior-preserving activity to improve the source code quality without changing its external behavior. Unfortunately, it is often a manual and error-prone task that may induce regressions in the source code. Researchers have provided initial compelling evidence of the rela...

Descripción completa

Detalles Bibliográficos
Autores principales: Iannone, Emanuele, Codabux, Zadia, Lenarduzzi, Valentina, De Lucia, Andrea, Palomba, Fabio
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Springer US 2023
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10209315/
https://www.ncbi.nlm.nih.gov/pubmed/37250850
http://dx.doi.org/10.1007/s10664-023-10287-x
_version_ 1785046851995566080
author Iannone, Emanuele
Codabux, Zadia
Lenarduzzi, Valentina
De Lucia, Andrea
Palomba, Fabio
author_facet Iannone, Emanuele
Codabux, Zadia
Lenarduzzi, Valentina
De Lucia, Andrea
Palomba, Fabio
author_sort Iannone, Emanuele
collection PubMed
description Software refactoring is a behavior-preserving activity to improve the source code quality without changing its external behavior. Unfortunately, it is often a manual and error-prone task that may induce regressions in the source code. Researchers have provided initial compelling evidence of the relation between refactoring and defects, yet little is known about how much it may impact software security. This paper bridges this knowledge gap by presenting a large-scale empirical investigation into the effects of refactoring on the security profile of applications. We conduct a three-level mining software repository study to establish the impact of 14 refactoring types on (i) security-related metrics, (ii) security technical debt, and (iii) the introduction of known vulnerabilities. The study covers 39 projects and a total amount of 7,708 refactoring commits. The key results show that refactoring has a limited connection to security. However, Inline Method and Extract Interface statistically contribute to improving some security aspects connected to encapsulating security-critical code components. Extract Superclass and Pull Up Attribute refactoring are commonly found in commits violating specific security best practices for writing secure code. Finally, Extract Superclass and Extract & Move Method refactoring tend to occur more often in commits contributing to the introduction of vulnerabilities. We conclude by distilling lessons learned and recommendations for researchers and practitioners.
format Online
Article
Text
id pubmed-10209315
institution National Center for Biotechnology Information
language English
publishDate 2023
publisher Springer US
record_format MEDLINE/PubMed
spelling pubmed-102093152023-05-26 Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security Iannone, Emanuele Codabux, Zadia Lenarduzzi, Valentina De Lucia, Andrea Palomba, Fabio Empir Softw Eng Article Software refactoring is a behavior-preserving activity to improve the source code quality without changing its external behavior. Unfortunately, it is often a manual and error-prone task that may induce regressions in the source code. Researchers have provided initial compelling evidence of the relation between refactoring and defects, yet little is known about how much it may impact software security. This paper bridges this knowledge gap by presenting a large-scale empirical investigation into the effects of refactoring on the security profile of applications. We conduct a three-level mining software repository study to establish the impact of 14 refactoring types on (i) security-related metrics, (ii) security technical debt, and (iii) the introduction of known vulnerabilities. The study covers 39 projects and a total amount of 7,708 refactoring commits. The key results show that refactoring has a limited connection to security. However, Inline Method and Extract Interface statistically contribute to improving some security aspects connected to encapsulating security-critical code components. Extract Superclass and Pull Up Attribute refactoring are commonly found in commits violating specific security best practices for writing secure code. Finally, Extract Superclass and Extract & Move Method refactoring tend to occur more often in commits contributing to the introduction of vulnerabilities. We conclude by distilling lessons learned and recommendations for researchers and practitioners. Springer US 2023-05-24 2023 /pmc/articles/PMC10209315/ /pubmed/37250850 http://dx.doi.org/10.1007/s10664-023-10287-x Text en © The Author(s) 2023 https://creativecommons.org/licenses/by/4.0/Open AccessThis article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) .
spellingShingle Article
Iannone, Emanuele
Codabux, Zadia
Lenarduzzi, Valentina
De Lucia, Andrea
Palomba, Fabio
Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security
title Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security
title_full Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security
title_fullStr Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security
title_full_unstemmed Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security
title_short Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security
title_sort rubbing salt in the wound? a large-scale investigation into the effects of refactoring on security
topic Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10209315/
https://www.ncbi.nlm.nih.gov/pubmed/37250850
http://dx.doi.org/10.1007/s10664-023-10287-x
work_keys_str_mv AT iannoneemanuele rubbingsaltinthewoundalargescaleinvestigationintotheeffectsofrefactoringonsecurity
AT codabuxzadia rubbingsaltinthewoundalargescaleinvestigationintotheeffectsofrefactoringonsecurity
AT lenarduzzivalentina rubbingsaltinthewoundalargescaleinvestigationintotheeffectsofrefactoringonsecurity
AT deluciaandrea rubbingsaltinthewoundalargescaleinvestigationintotheeffectsofrefactoringonsecurity
AT palombafabio rubbingsaltinthewoundalargescaleinvestigationintotheeffectsofrefactoringonsecurity

Ejemplares similares