For Publishers
DiscoveryMetadataPeer reviewHostingPublishing
For Researchers
JoinPublishReviewCollect
Register
Blog
About
Search
Advanced search
My ScienceOpen
Search
For Publishers
For Researchers
Blog
About
369
views
11
references
 Top references
cited by
0
    
0 reviews
 Review
0
comments
 Comment
2
recommends
+1 Recommend
1 collections
    0
    shares
      37
      similar
       All similar

      One-Click Submission System Now Available for SO Preprints, learn more on how this works in our blog post and don't forget to check the video, too!

      scite_
       
      • Record: found
      • Abstract: found
      • Article: found
      Is Open Access

      Threat Modeling Through Detection, Prevention & Classification of Leading-to-Vulnerability Code Smells (LVCs)

      Preprint
      In review
      research-article
      Author(s):   1 ,
      Editor(s): 2
      Publication date (Electronic preprint):
      Journal: ScienceOpen Preprints
      Publisher: ScienceOpen
      Keywords: code smells, security, static application security testing, machine learning, threat modeling, WEKA, vulnerability, CIA, STRIDE, LINDDUN

            Abstract

            Code smells are usually ignored as they are neither a bug, nor a vulnerability. Quality engineers and, specially, security architects ignore them. As some of the code smells may lead towards vulnerability which may further be exploited by the hackers, therefore, such vulnerable code smells must be considered and further mitigated by threat modelers. In order to provide a repository of such code smells to security designers, a process had been devised and experimented. During the execution, various web applications had been passed through SAST and resulting code smells had been extracted and then inserted into a new dataset via Python. Later on, the code smells deposited in the dataset had been classified into various categories. Finally, machine learning algorithms had been assessed through WEKA and the fastest as well the most accurate algorithm had been selected. Current security standards do not ensure mitigation of threats caused by leading-to-vulnerability code smells, till to date. Typically, threat modelers assess security of a system through modeling threats via CIA, STRIDE and LINDDUN standards on its DFD and various architectural / infrastructural diagrams. Unless, they do not know that exploitable vulnerability still exists even after performing all secure design principles, the system would still be open to attacks. Our hypothesis was that vulnerable code smells still exist even after complying with all threat modeling standards. In the end, descriptive and inferential statistics had been used to analyse the results as well as test our hypothesis.

            Content

            Author and article information

            Journal
            Title: ScienceOpen Preprints
            Publisher: ScienceOpen
            Publication date (Electronic preprint): 25 February 2023
            Affiliations
            [1 ] Faculty of Computing, Riphah International University, I-14 Campus, Islamabad, 44000, Islamabad Capital Territory, Pakistan;
            [2 ] Faculty of Computing, Riphah Institute of Systems Engineering, Evacuee Trust Complex, Islamabad, 44000, Islamabad Capital Territory, Pakistan;
            Author notes
            Author information
            https://orcid.org/0000-0002-4443-6047
            Article
            DOI: 10.14293/S2199-1006.1.SOR-.PPPO2IT.v1
            SO-VID: 3bb3604c-f396-4ef0-879d-1db900bd2042
            License:

            This work has been published open access under Creative Commons Attribution License CC BY 4.0 , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Conditions, terms of use and publishing policy can be found at www.scienceopen.com .

            History
            Date received : 25 February 2023
            Categories

            Data availability: The datasets generated during and/or analysed during the current study are available from the corresponding author on reasonable request.
            ScienceOpen disciplines: Software engineering,Programming languages,Security & Cryptology,Artificial intelligence
            Keywords: vulnerability,static application security testing,STRIDE,CIA,security,LINDDUN,code smells,WEKA,threat modeling,machine learning

            References

            1. Elkhail Abdulrahman Abu, Cerny Tomas. On Relating Code Smells to Security Vulnerabilities. 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). 2019. IEEE. [Cross Ref]

            2. Sultana Kazi Zakia, Codabux Zadia, Williams Byron. Examining the Relationship of Code and Architectural Smells with Software Vulnerabilities. 2020 27th Asia-Pacific Software Engineering Conference (APSEC). 2020. IEEE. [Cross Ref]

            3. Ognawala Saahil, Amato Ricardo Nales, Pretschner Alexander, Kulkarni Pooja. Automatically assessing vulnerabilities discovered by compositional analysis. Proceedings of the 1st International Workshop on Machine Learning and Software Engineering in Symbiosis. 2018. ACM. [Cross Ref]

            4. Palomba Fabio, Andrew Tamburri Damian, Arcelli Fontana Francesca, Oliveto Rocco, Zaidman Andy, Serebrenik Alexander. Beyond Technical Aspects: How Do Community Smells Influence the Intensity of Code Smells? IEEE Transactions on Software Engineering. Vol. 47(1):108–129. 2021. Institute of Electrical and Electronics Engineers (IEEE). [Cross Ref]

            5. Di Nucci Dario, Palomba Fabio, Tamburri Damian A., Serebrenik Alexander, De Lucia Andrea. Detecting code smells using machine learning techniques: Are we there yet? 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). 2018. IEEE. [Cross Ref]

            6. Arcelli Fontana Francesca, Zanoni Marco. Code smell severity classification using machine learning techniques. Knowledge-Based Systems. Vol. 128:43–58. 2017. Elsevier BV. [Cross Ref]

            7. Liu Xinghua, Zhang Cheng. DT : a detection tool to automatically detect code smell in software project. Proceedings of the 2016 4th International Conference on Machinery, Materials and Information Technology Applications. 2016. Atlantis Press. [Cross Ref]

            8. Yamashita Aiko, Moonen Leon. Do developers care about code smells? An exploratory survey. 2013 20th Working Conference on Reverse Engineering (WCRE). 2013. IEEE. [Cross Ref]

            9. Khomh Foutse, Di Penta Massimiliano, Gueheneuc Yann-Gael. An Exploratory Study of the Impact of Code Smells on Software Change-proneness. 2009 16th Working Conference on Reverse Engineering. 2009. IEEE. [Cross Ref]

            10. Moha N., Gueheneuc Y.-G., Duchien L., Le Meur A.-F.. DECOR: A Method for the Specification and Detection of Code and Design Smells. IEEE Transactions on Software Engineering. Vol. 36(1):20–36. 2010. Institute of Electrical and Electronics Engineers (IEEE). [Cross Ref]

            11. Rutar N., Almazan C.B., Foster J.S.. A Comparison of Bug Finding Tools for Java. 15th International Symposium on Software Reliability Engineering. IEEE. [Cross Ref]

            Comments

            Comment on this article