Are Modern Peer Code Review Strategies Good Enough To Ensure Software Security?

Almost every week, we can find some news articles publishing occurrences of software security breaches such as hacking, data loss, data leakage, and unauthorized access. For example, fraud.org provides an updated list of the recent high-profile data breaches. Breaches such as Equifax , Yahoo, and Capital One have been estimated to cost more than 100 million dollars to the respective companies. Each of those breaches were enabled by software security vulnerabilities. 

A software security vulnerability is a weakness or flaw present in a software component which can be exploited. For example, in a website, if we do not store sensitive information (e.g., login credentials and credit card info) in a secure storage, an attacker may get unauthorized access to that information. Since attackers gain unauthorized access to a system primarily by exploiting its vulnerable software components, identification and remediation of software security vulnerabilities are crucial. Software developers generally introduce a security vulnerability during development by writing code that violates at least one of the principles of secure coding practices. Lack of knowledge regarding those secure coding practices as well as not paying close attention to the security details of a code are considered to be the top reasons behind introductions of security vulnerabilities.¹ 

Software development practices, such as peer code review has been found to be effective in the early identification of security vulnerabilities.² Peer code review (aka: code review) is a software engineering practice, where a developer’s code is reviewed and analyzed by his/her peers (i.e., teammate) to make sure that the code maintains a minimum quality to be included in the software. So, we can imply that the code review is a kind of validation and verification phase of a software lifecycle. Code review techniques have been adopted as a quality control gateway for most of the Open Source Software (OSS) as well as commercial projects.³ Using careful code reviewing techniques, a large number of security vulnerabilities can be effectively identified and eliminated prior to release of the product. Since the longer it takes to detect and fix a security vulnerability, the more that vulnerability will cost, code reviews, which occur almost immediately after the introduction of a vulnerability, can effectively minimize the economic impact of a security vulnerability as well. That is why modern tech giants are investing tons of money for their code review practices. A study of Microsoft find that their developers spend approximately 10-15% of their working time in participating code reviews.⁴

However, are modern code review strategies good enough to ensure that the software is secured enough? How are modern code review practices performing to identify software security defects? Figure 1 shows the reported software security vulnerability to the NVD Database over the years.  NVD (aka: National Vulnerability Database) is a storage that is maintained by National institute of Standards and Technology (NIST) under the monitoring of U.S. Department of Commerce. Once a security vulnerability appears in a running product, that vulnerability is reported on the NVD. As we can observe from the figure, the number of reported security vulnerabilities is increasing over the years and in recent years, the number has increased significantly. 

Figure 1: Reported security vulnerability to the NVD

Despite taking lots of measures, still significant number of security vulnerabilities are introduced which can eventually lead to a great loss of both money and reputation of a company. With the statistics, one can certainly raise the question, “Are modern code review strategies good enough to ensure software security?” Maybe not. However, it can be a research question where so many investigations will need to be conducted. And with those investigation, we may find some better strategies so that our software will be more secured and reliable. 

References:

1. G. McGraw. Software security. IEEE Security Privacy, 2(2):80–83, 2004.
2. Amiangshu Bosu, Jeffrey C. Carver, Hafiz Munawar, Patrick Hilley, and Derek Janni. Identifying the characteristics of vulnerable code changes: an empirical study. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 257–268, 2014.
3. Alberto Bacchelli and Christian Bird. Expectations, outcomes, and challenges of modern code review. In Proceedings of the 2013 International Conference on Software Engineering, pages 712–721. IEEE, 2013.
4. Amiangshu Bosu, J. C. Carver, C. Bird, J. Orbeck, and C. Chockley. Process aspects and social dynamics of contemporary code review: Insights from open source development and industrial practice at Microsoft. IEEE Transactions on Software Engineering, 43(1):56–75, Jan 2017.