Visible to the public Detection of protection-impacting changes during software evolution

TitleDetection of protection-impacting changes during software evolution
Publication TypeConference Paper
Year of Publication2018
AuthorsLaverdière, M., Merlo, E.
Conference Name2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER)
Date Publishedmar
KeywordsAccess Control, application security, authorisation, Automated Secure Software Engineering, composability, Image edge detection, maintenance engineering, Mathematical model, negative security changes, protection-impacting changes, pubcrawl, RBAC security, Resiliency, Role Based Access Control, role-based access control, Security Impact of Changes, security regression, security vulnerabilities, Software, software evolution, software maintenance, source code (software), source code changes, static analysis, Web applications, WordPress

Role-Based Access Control (RBAC) is often used in web applications to restrict operations and protect security sensitive information and resources. Web applications regularly undergo maintenance and evolution and their security may be affected by source code changes between releases. To prevent security regression and vulnerabilities, developers have to take re-validation actions before deploying new releases. This may become a significant undertaking, especially when quick and repeated releases are sought. We define protection-impacting changes as those changed statements during evolution that alter privilege protection of some code. We propose an automated method that identifies protection-impacting changes within all changed statements between two versions. The proposed approach compares statically computed security protection models and repository information corresponding to different releases of a system to identify protection-impacting changes. Results of experiments present the occurrence of protection-impacting changes over 210 release pairs of WordPress, a PHP content management web application. First, we show that only 41% of the release pairs present protection-impacting changes. Second, for these affected release pairs, protection-impacting changes can be identified and represent a median of 47.00 lines of code, that is 27.41% of the total changed lines of code. Over all investigated releases in WordPress, protection-impacting changes amounted to 10.89% of changed lines of code. Conversely, an average of about 89% of changed source code have no impact on RBAC security and thus need no re-validation nor investigation. The proposed method reduces the amount of candidate causes of protection changes that developers need to investigate. This information could help developers re-validate application security, identify causes of negative security changes, and perform repairs in a more effective way.

Citation Keylaverdiere_detection_2018