Abstract

Security issues are a major concern in software development since the impact of exploiting security issues can be detrimental. Much of the prior work has proposed techniques that scan for and predict security vulnerabilities. However, in-depth, qualitative studies on software vulnerabilities are limited. Such studies can help the community better understand the types of vulnerabilities that exist and their potential impact in order to avoid them in the future. Therefore, in this thesis, we present the results of studying security issues faced by developers. Our study leverages data provided by the SAP research team, which contains security fixing commits related to open source Java projects used by SAP and manually curated and validated by their researchers. We study a statistically significant sample of those commits. In particular, we collect information from the related repositories, issue trackers, documentation and advisories with the aim to comprehend and categorize such security issues. Also, we provide the context required to understand the issue along with code examples extracted from each of the categories in our study. Our findings show that the vulnerabilities commonly facing developers are related to deserialization of untrusted data, zip slip, xml external entity processing, validation, authorization, race conditions, and information exposure. The fixes required to fix those vulnerabilities range from providing proper configuration of the used parser in the case of XML related issues to requiring in-depth knowledge of the code and the security issue as in vulnerabilities related to thread synchronization.