Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
    • Students and Grants
    • Co-located Workshops
  • Program
    • Workshop Program
  • Sponsorship
  • Participate
    • Instructions for Authors and Speakers
    • Call for Papers
  • About
    • Workshop Organizers
    • Questions?
    • Services
    • Past Workshops
  • Home
  • Attend
  • Program
  • Sponsorship
  • Participate
  • About

sponsors

Media Sponsor

help promote

CSET '16 button

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Can Knowledge of Technical Debt Help Identify Software Vulnerabilities?
Tweet

connect with us

Can Knowledge of Technical Debt Help Identify Software Vulnerabilities?

Authors: 

Robert L. Nord, Ipek Ozkaya, Edward J. Schwartz, Forrest Shull, and Rick Kazman, Carnegie Mellon University

Abstract: 

Software vulnerabilities originating from design decisions are hard to find early and time consuming to fix later. We investigated whether the problematic design decisions themselves might be relatively easier to find, based on the concept of “technical debt,” i.e., design or implementation constructs that are expedient in the short term but make future changes and fixes more costly. If so, can knowing which components contain technical debt help developers identify and manage certain classes of vulnerabilities? This paper provides our approach for using knowledge of technical debt to identify software vulnerabilities that are difficult to find using only static analysis of the code. We present initial findings from a study of the Chromium open source project that motivates the need to examine a combination of evidence: quantitative static analysis of anomalies in code, qualitative classification of design consequences in issue trackers, and software development indicators in the commit history.

Robert L. Nord, Carnegie Mellon University

Ipek Ozkaya, Carnegie Mellon University

Edward J. Schwartz, Carnegie Mellon University

Forrest Shull, Carnegie Mellon University

Rick Kazman, Carnegie Mellon University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {198133,
author = {Robert L. Nord and Ipek Ozkaya and Edward J. Schwartz and Forrest Shull and Rick Kazman},
title = {Can Knowledge of Technical Debt Help Identify Software Vulnerabilities?},
booktitle = {9th Workshop on Cyber Security Experimentation and Test (CSET 16)},
year = {2016},
address = {Austin, TX},
url = {https://www.usenix.org/conference/cset16/workshop-program/presentation/nord},
publisher = {USENIX Association},
month = aug,
}
Download
Nord PDF
View the slides
  • Log in or    Register to post comments

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Contact Us