An empirical study to improve software security through the application of code refactoring

Abstract Context Code bad smells indicate design flaws that can degrade the quality of software and can potentially lead to the introduction of faults. They can be eradicated by applying refactoring techniques. Code bad smells that impact the security perspective of software should be detected and removed from their code base. However, the existing literature is insufficient to support this claim and there are few studies that empirically investigate bad smells and refactoring opportunities from a security perspective. Objective In this paper, we investigate how refactoring can improve the security of an application by removing code bad smell. Method We analyzed three different code bad smells in five software systems. First, the identified code bad smells are filtered against security attributes. Next, the object-oriented design and security metrics are calculated for the five investigated systems. Later, refactoring is applied to remove security-related code bad smells. The correctness of detection and refactoring of investigated code smells are then validated. Finally, both traditional object-oriented and security metrics are again calculated after removing bad smells to assess its impact on the design and security attributes of systems. Results We found ‘feature envy’ to be the most abundant security bad smell in investigated projects. The ‘move method’ and ‘move field’ are commonly applied refactoring techniques because of the abundance of feature envy. Conclusion The results of security metrics indicate that refactoring helps improve the security of an application without compromising the overall quality of software systems.

[1]  Colin J. Fidge,et al.  Assessing the Impact of Refactoring on Security-Critical Object-Oriented Designs , 2010, 2010 Asia Pacific Software Engineering Conference.

[2]  Mario Piattini,et al.  Using Metrics to Predict OO Information Systems Maintainability , 2001, CAiSE.

[3]  Robert M. Hierons,et al.  The Effectiveness of Refactoring, Based on a Compatibility Testing Taxonomy and a Dependency Graph , 2006, Testing: Academic & Industrial Conference - Practice And Research Techniques (TAIC PART'06).

[4]  Chris F. Kemerer,et al.  A Metrics Suite for Object Oriented Design , 2015, IEEE Trans. Software Eng..

[5]  Tracy Hall,et al.  Code Bad Smells: a review of current knowledge , 2011, J. Softw. Maintenance Res. Pract..

[6]  Betty H. C. Cheng,et al.  On the use of genetic programming for automated refactoring and the introduction of design patterns , 2010, GECCO '10.

[7]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[8]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[9]  William F. Opdyke,et al.  Refactoring object-oriented frameworks , 1992 .

[10]  Katsuro Inoue,et al.  Revisiting the relationship between code smells and refactoring , 2016, 2016 IEEE 24th International Conference on Program Comprehension (ICPC).

[11]  Ian Gorton,et al.  Essential software architecture , 2006 .

[12]  Akhtar Ali Jalbani,et al.  Towards an Integrated Quality Assessment and Improvement Approach for UML Models , 2009, SDL Forum.

[13]  Dietmar Pfahl,et al.  Reporting Experiments in Software Engineering , 2008, Guide to Advanced Empirical Software Engineering.

[14]  Francesca Arcelli Fontana,et al.  An Experience Report on Using Code Smells Detection Tools , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[15]  William C. Wake,et al.  Refactoring Workbook , 2003 .

[16]  Rohit Gheyi,et al.  Automated Behavioral Testing of Refactoring Engines , 2013, IEEE Trans. Software Eng..

[17]  Gabriele Bavota,et al.  Are test smells really harmful? An empirical study , 2014, Empirical Software Engineering.

[18]  Khaled Ghedira,et al.  M-REFACTOR: A New Approach and Tool for Model Refactoring , 2011 .

[19]  Mohammed Misbhauddin,et al.  UML model refactoring: a systematic literature review , 2013, Empirical Software Engineering.

[20]  Lionel C. Briand,et al.  An object-oriented high-level design-based class cohesion metric , 2010, Inf. Softw. Technol..

[21]  José A. Montenegro,et al.  Towards a Business Process-Driven Framework for Security Engineering with the UML , 2003, ISC.

[22]  Aiko Fallas Yamashita,et al.  Do code smells reflect important maintainability aspects? , 2012, 2012 28th IEEE International Conference on Software Maintenance (ICSM).

[23]  Marouane Kessentini,et al.  Detecting model refactoring opportunities using heuristic search , 2011, CASCON.

[24]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[25]  Yann-Gaël Guéhéneuc,et al.  DECOR: A Method for the Specification and Detection of Code and Design Smells , 2010, IEEE Transactions on Software Engineering.

[26]  Michel R. V. Chaudron,et al.  Managing Model Quality in UML-Based Software Development , 2005, 13th IEEE International Workshop on Software Technology and Engineering Practice (STEP'05).

[27]  Don Roberts,et al.  Practical analysis for refactoring , 1999 .

[28]  Derrick G. Kourie,et al.  Towards proving preservation of behaviour of refactoring of UML models , 2005 .

[29]  Rachel Harrison,et al.  An Empirical Validation of Coupling Metrics Using Automated Refactoring , 2013, 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement.

[30]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[31]  Roberto da Silva Bigonha,et al.  Identifying thresholds for object-oriented software metrics , 2012, J. Syst. Softw..

[32]  Katsuro Inoue,et al.  Do Developers Focus on Severe Code Smells? , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[33]  D. Campbell,et al.  EXPERIMENTAL AND QUASI-EXPERIMENT Al DESIGNS FOR RESEARCH , 2012 .

[34]  Thomas Ruhroth,et al.  Measure, Diagnose, Refactor: A Formal Quality Cycle for Software Models , 2009, 2009 35th Euromicro Conference on Software Engineering and Advanced Applications.

[35]  Radu Marinescu,et al.  Measurement and Quality in Object-Oriented Design , 2005, ICSM.

[36]  Iman Hemati Moghadam,et al.  Automated Refactoring Using Design Differencing , 2012, 2012 16th European Conference on Software Maintenance and Reengineering.

[37]  Girish Suryanarayana,et al.  Chapter 2 – Design Smells , 2015 .

[38]  Nadia Bouassida,et al.  A Metric-Based Approach for Anti-pattern Detection in UML Designs , 2011 .

[39]  Petr Picha,et al.  Identifying Software Metrics Thresholds for Safety Critical System , 2014 .

[40]  Francesca Arcelli Fontana,et al.  Automatic Detection of Instability Architectural Smells , 2016, 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[41]  Eduardo B. Fernández,et al.  A Methodology for Secure Software Design , 2004, Software Engineering Research and Practice.

[42]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[43]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Class Designs , 2009, 2009 Ninth International Conference on Quality Software.

[44]  Michael W. Godfrey,et al.  “Cloning considered harmful” considered harmful: patterns of cloning in software , 2008, Empirical Software Engineering.

[45]  Colin J. Fidge,et al.  Security Assessment of Code Refactoring Rules , 2012 .

[46]  Raed Shatnawi,et al.  An Investigation of Bad Smells in Object-Oriented Design , 2006, Third International Conference on Information Technology: New Generations (ITNG'06).

[47]  Mohammad Zulkernine,et al.  Security metrics for source code structures , 2008, SESS '08.

[48]  Thomas J. Mowbray,et al.  AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis , 1998 .

[49]  Nigel Bevan,et al.  Measuring usability as quality of use , 1995, Software Quality Journal.

[50]  Richard Baskerville,et al.  A New Paradigm for Adding Security Into IS Development Methods , 2001, Conference on Information Security Management & Small Systems Security.

[51]  M.J. Munro,et al.  Product Metrics for Automatic Identification of "Bad Smell" Design Problems in Java Source-Code , 2005, 11th IEEE International Software Metrics Symposium (METRICS'05).

[52]  Francesca Arcelli Fontana,et al.  On Investigating Code Smells Correlations , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[53]  Haruhiko Kaiya,et al.  Model Metrics and Metrics of Model Transformation , 2006 .

[54]  Aiko Fallas Yamashita,et al.  To what extent can maintenance problems be predicted by code smell detection? - An empirical study , 2013, Inf. Softw. Technol..

[55]  Mark Harman,et al.  Experimental assessment of software metrics using automated refactoring , 2012, Proceedings of the 2012 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement.

[56]  Andrea Zisman,et al.  Inconsistency Management in Software Engineering: Survey and Open Research Issues , 2000 .

[57]  Edgar R. Weippl,et al.  CoSMo: An Approach Towards Conceptual Security Modeling , 2002, DEXA.

[58]  Francesca Arcelli Fontana,et al.  On experimenting refactoring tools to remove code smells , 2015, XP Workshops.

[59]  Tom Mens,et al.  A survey of software refactoring , 2004, IEEE Transactions on Software Engineering.

[60]  T. Cook,et al.  Quasi-experimentation: Design & analysis issues for field settings , 1979 .

[61]  Jehad Al Dallal Identifying refactoring opportunities in object-oriented code: A systematic literature review , 2015, Inf. Softw. Technol..

[62]  Carl G. Davis,et al.  A Hierarchical Model for Object-Oriented Design Quality Assessment , 2002, IEEE Trans. Software Eng..

[63]  Akito Monden,et al.  Software quality analysis by code clones in industrial legacy software , 2002, Proceedings Eighth IEEE Symposium on Software Metrics.

[64]  Martin Fowler,et al.  Refactoring - Improving the Design of Existing Code , 1999, Addison Wesley object technology series.

[65]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Designs , 2010, 2010 21st Australian Software Engineering Conference.