Skip to main content
LATEST INFORMATION ABOUT COVID-19

READ MORE

Examinations, Thesis defences

Master Thesis Defense: Mouafak Mkhallalati

Date & time

Monday, December 9, 2019
10 a.m. – 12 p.m.

Speaker(s)

Mouafak Mkhallalati

Cost

This event is free

Wheelchair accessible

Yes

Speaker: Mouafak Mkhallalati

Supervisor: Dr. E. Shihab

Examining Committee:
Drs. N. Tsantalis, J. Yang, T.-H. Chen (Chair)

Title: A Qualitative Study of Vulnerability-Fixing Commits

Date: Monday, December 9, 2019

Time: 10am

Place: EV 2.260

ABSTRACT

Security issues are a major concern in software development since the impact of exploiting security issues can be detrimental. Much of the prior work has proposed techniques that scan for and predict security vulnerabilities. However, in-depth, qualitative studies on software vulnerabilities are limited. Such studies can help the community better understand the types of vulnerabilities that exist and their potential impact in order to avoid them in the future.

Therefore, in this thesis, we present the results of studying security issues faced by developers. Our study leverages data provided by the SAP research team, which contains security fixing commits related to industry products used by SAP and manually curated and validated by their researchers. We study a statistically significant sample of those commits. In particular, we collect information from the related repositories, issue trackers, documentation and advisories with the aim to comprehend and categorize such security issues. Also, we provide the context required to understand the issue along with code examples extracted from each of the categories in our study.

Our findings show that the vulnerabilities commonly facing developers are related to Serialization, Zip files, XML, Validation and Verification, Authentication and Authorization, Thread Synchronization, and Hiding Information. The fixes required to fix those vulnerabilities range from providing proper configuration of the used parser in the case of XML related issues to requiring in-depth knowledge of the code and the security issue as in vulnerabilities related to Thread Synchronization.

Back to top Back to top

© Concordia University