Problem Statement: The devastating consequences of vulnerability exploitation have forced software development enterprises to shift their focus towards secure software development. Vulnerability prediction facilitates the development of secure software, as it enables the identification and mitigation of security risks (i.e. vulnerabilities) early enough in the overall software development lifecycle. Although several software-related factors have been studied for their ability to indicate software security risk, very limited attention has been given to technical debt (TD), despite its potential relevance to software security.
Contributions: To this end, in the present study, we investigate the ability of common TD indicators (e.g. bugs, code smells, etc.) to indicate security risks in software products, both at project-level and at class-level of granularity. Regarding the project-level analysis, we examine the ability of TD indicators to predict the security risk level of a software project (computed based on static analysis and benchmark data), using a relatively large repository of 210 real-world open-source software products. Regarding the class-level analysis, we investigate the ability of TD indicators to discriminate between vulnerable and clean software classes, as well as to predict the existence of vulnerabilities in software classes, based on balanced vulnerability dataset of 1200 vulnerable and clean software classes that was constructed based on a popular vulnerability benchmark.
Results: The results highlighted the capacity of TD indicators to predict the security risk level of software products, as well as their ability to discriminate between vulnerable and clean software classes and to provide class-level vulnerability prediction of sufficient accuracy.
Novelty: Hence, the findings of our study suggest that TD indicators may potentially indicate security risks in software products.