research-article

An empirical study to improve software security through the application of code refactoring

Authors:

Mohammad Alshayeb,

Sajjad Mahmood,

Mahmood NiaziAuthors Info & Claims

Volume 96, Issue C

Pages 112 - 125

https://doi.org/10.1016/j.infsof.2017.11.010

Published: 01 April 2018 Publication History

Abstract

Context

Code bad smells indicate design flaws that can degrade the quality of software and can potentially lead to the introduction of faults. They can be eradicated by applying refactoring techniques. Code bad smells that impact the security perspective of software should be detected and removed from their code base. However, the existing literature is insufficient to support this claim and there are few studies that empirically investigate bad smells and refactoring opportunities from a security perspective.

Objective

In this paper, we investigate how refactoring can improve the security of an application by removing code bad smell.

Method

We analyzed three different code bad smells in five software systems. First, the identified code bad smells are filtered against security attributes. Next, the object-oriented design and security metrics are calculated for the five investigated systems. Later, refactoring is applied to remove security-related code bad smells. The correctness of detection and refactoring of investigated code smells are then validated. Finally, both traditional object-oriented and security metrics are again calculated after removing bad smells to assess its impact on the design and security attributes of systems.

Results

We found ‘feature envy’ to be the most abundant security bad smell in investigated projects. The ‘move method’ and ‘move field’ are commonly applied refactoring techniques because of the abundance of feature envy.

Conclusion

The results of security metrics indicate that refactoring helps improve the security of an application without compromising the overall quality of software systems.

References

[1]

A. Yamashita, L. Moonen, To what extent can maintenance problems be predicted by code smell detection? An empirical study, Inf. Softw. Technol. 55 (2013) 2223–2242.

Digital Library

[2]

M. Fowler, K. Beck, J. Brant, W. Opdyke, Refactoring: Improving the Design of Existing Code, Addison-Wesley, 1999.

Digital Library

[3]

A. Yamashita, L. Moonen, Do code smells reflect important maintainability aspects?, in: 28th IEEE International Conference on Software Maintenance, 2012, pp. 306–315.

[4]

M. Zhang, T. Hall, N. Baddoo, Code bad smells: a review of current knowledge, J. Softw. Maintenance Evol.: Res. Pract. 23 (2011) 179–202.

[5]

G. Bavota, A. Qusef, R. Oliveto, A. De Lucia, D. Binkley, Are test smells really harmful? An empirical study, Empirical Softw. Eng. 20 (2015) 1052–1094.

[6]

A. Jedlitschka, M. Ciolkowski, D. Pfahl, Reporting experiments in software engineering, in: F. Shull, J. Singer, D.I.K. Sjøberg (Eds.), Guide to Advanced Empirical Software Engineering, Springer London, London, 2008, pp. 201–228.

[7]

inFusion. https://www.intooitus.com/inFusion.html, 2016 (accessed 23 February 2016).

[8]

F.A. Fontana, E. Mariani, A. Mornioli, R. Sormani, A. Tonello, An experience report on using code smells detection tools, in: 2011 Fourth International Conference on Software Testing, Verification and Validation Workshops, 2011, pp. 450–457.

[9]

F.A. Fontana, M. Zanoni, On investigating code smells correlations, in: 2011 Fourth International Conference on Software Testing, Verification and Validation Workshops, 2011, pp. 474–475.

[10]

F.A. Fontana, M. Mangiacavalli, D. Pochiero, M. Zanoni, On experimenting refactoring tools to remove code smells, in: Scientific Workshop Proceedings of the XP2015, 2015, pp. 1–8.

[11]

T. Saika, E. Choi, N. Yoshida, S. Haruna, K. Inoue, Do developers focus on severe code smells?, in: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering, 2016, pp. 1–3.

[12]

N. Yoshida, T. Saika, E. Choi, A. Ouni, K. Inoue, Revisiting the relationship between code smells and refactoring, in: 2016 IEEE 24th International Conference on Program Comprehension (ICPC), IEEE, 2016, pp. 1–4.

[13]

T. Paiva, A. Damasceno, J. Padilha, E. Figueiredo, C. Sant'Anna, Experimental Evaluation of Code Smell Detection Tools, 2015.

[14]

F.A. Fontana, I. Pigazzini, R. Roveda, M. Zanoni, Automatic detection of instability architectural smells, in: 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME), IEEE, 2016, pp. 433–437.

[15]

I. Gorton, Essential Software Architecture, Springer Science & Business Media, 2006.

Digital Library

[16]

N. Bevan, Measuring usability as quality of use, Softw. Qual. J. 4 (1995) 115–130.

[17]

M. Genero, J. Olivas, M. Piattini, F. Romero, Using metrics to predict OO information systems maintainability, Advanced Information Systems Engineering, Springer, 2001, pp. 388–401.

[18]

R. Marinescu, Measurement and quality in object-oriented design, in: Proceedings of the 21st IEEE International Conference on Software Maintenance, 2005. ICSM'05, IEEE, 2005, pp. 701–704.

[19]

J. Jürjens, Secure Systems Development with UML, Springer Science & Business Media, 2005.

Digital Library

[20]

C. Nist, Glossary of Key Information Security Terms, National Institute of Standards and Technology, Gaithersburg, MD, 2006.

[21]

M. Whitman, H. Mattord, Principles of Information Security, Cengage Learning, 2011.

[22]

G. Suryanarayana, G. Samarthyam, T. Sharma, Chapter 2—design smells, in: G. Suryanarayana, G.S. Sharma (Eds.), Refactoring for Software Design Smells, Morgan Kaufmann, Boston, 2015, pp. 9–19.

[23]

W.F. Opdyke, Refactoring Object-Oriented Frameworks, University of Illinois at Urbana-Champaign, 1992.

Digital Library

[24]

W.C. Wake, Refactoring Workbook, Addison-Wesley Professional, 2004.

[25]

T. Mens, T. Tourwé, A survey of software refactoring, IEEE Trans. Softw. Eng. 30 (2004) 126–139.

Digital Library

[26]

D.B. Roberts, R. Johnson, Practical Analysis for Refactoring, University of Illinois at Urbana-Champaign, 1999.

[27]

InterlliJ IDEA. https://www.intellij.com/idea, 2016 (accessed 23 February 2016).

[28]

RefactorIt. https://sourceforge.net/projects/refactorit/, 2016 (accessed 23 February 2016).

[29]

JRefactory. https://jrefactory.sourceforge.net, 2016 (accessed 23 February 2016).

[30]

M. Misbhauddin, M. Alshayeb, UML model refactoring: a systematic literature review, Empirical Softw. Eng. 20 (2013) 206–251.

[31]

T.v. Enckevort, Refactoring UML models: using open architecture ware to measure uml model quality and perform pattern matching on UML models with OCL queries, in: Proceedings of the 24th ACM SIGPLAN Conference Companion on Object Oriented Programming Systems Languages and Applications, ACM, 2009, pp. 635–646.

[32]

I.H. Moghadam, M.O. Cinneide, Automated refactoring using design differencing, in: The 16th European Conference on Software Maintenance and Reengineering (CSMR), IEEE, 2012, pp. 43–52.

[33]

A.C. Jensen, B.H. Cheng, On the use of genetic programming for automated refactoring and the introduction of design patterns, in: Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation, ACM, 2010, pp. 1341–1348.

[34]

S.R. Chidamber, C.F. Kemerer, A metrics suite for object oriented design, IEEE Trans. Softw. Eng. 20 (1994) 476–493.

Digital Library

[35]

J. Al Dallal, L.C. Briand, An object-oriented high-level design-based class cohesion metric, Inf. Softw. Technol. 52 (2010) 1346–1361.

[36]

J. Bansiya, C.G. Davis, A hierarchical model for object-oriented design quality assessment, IEEE Trans. Softw. Eng. 28 (2002) 4–17.

Digital Library

[37]

C.F. Lange, M.R. Chaudron, Managing model quality in UML-based software development, in: 13th IEEE International Workshop on Software Technology and Engineering Practice, 2005, IEEE, 2005, pp. 7–16.

[38]

A.A. Jalbani, J. Grabowski, H. Neukirchen, B. Zeiss, Towards an integrated quality assessment and improvement approach for UML models, SDL 2009: Design for Motes and Mobiles, Springer, 2009, pp. 63–81.

[39]

G. Spanoudakis, A. Zisman, Inconsistency management in software engineering: survey and open research issues, Handbook of Software Engineering and Knowledge Engineering, vol. 1, 2001, pp. 329–380.

[40]

T. Massoni, Introducing Refactoring to Heavyweight Software Processes, in: Technical Report, CIn-UFPE, Brasil, 2003.

[41]

M. Fowler. http://www.refactoring.com, 2016 (accessed 13 June 2016).

[42]

M.J. Munro, Product metrics for automatic identification of “bad smell” design problems in java source-code, in: 11th IEEE International Symposium on Software Metrics, 2005.

[43]

W. Cushman, D. Rosenberg, Factors in Product Design, Elsevier, 1991.

[44]

R. Shatnawi, W. Li, An investigation of bad smells in object-oriented design, in: Third International Conference on Information Technology: New Generations, 2006. ITNG 2006, IEEE, 2006, pp. 161–165.

[45]

A. Monden, D. Nakae, T. Kamiya, S.-i. Sato, K.-i. Matsumoto, Software quality analysis by code clones in industrial legacy software, in: Proceedings of Eighth IEEE Symposium on Software Metrics, 2002, IEEE, 2002, pp. 87–94.

[46]

C.J. Kapser, M.W. Godfrey, Cloning considered harmful” considered harmful: patterns of cloning in software, Empirical Softw. Eng. 13 (2008) 645–692.

[47]

S. Counsell, R.M. Hierons, R. Najjar, G. Loizou, Y. Hassoun, The effectiveness of refactoring, based on a compatibility testing taxonomy and a dependency graph, in: Proceedings of Testing: Academic and Industrial Conference-Practice and Research Techniques, 2006. TAIC PART 2006, IEEE, 2006, pp. 181–192.

[48]

J. Al Dallal, Identifying refactoring opportunities in object-oriented code: a systematic literature review, Inf. Softw. Technol. 58 (2015) 231–249.

[49]

J.L. Vivas, J.A. Montenegro, J. López, Towards a business process-driven framework for security engineering with the UML, Information Security, Springer, 2003, pp. 381–395.

[50]

J. Jürjens, UMLsec: extending UML for secure systems development, ≪UML≫ 2002—The Unified Modeling Language, Springer, 2002, pp. 412–425.

[51]

M. Siponen, R. Baskerville, A new paradigm for adding security into IS development methods, Advances in Information Security Management & Small Systems Security, Springer, 2001, pp. 99–111.

[52]

C. Artelsmair, W. Essmayr, P. Lang, R. Wagner, E. Weippl, CoSMo: an approach towards conceptual security modeling, Database and Expert Systems Applications, Springer, 2002, pp. 557–566.

[53]

E.B. Fernandez, A methodology for secure software design, Software Engineering Research and Practice, 2004, pp. 130–136.

[54]

M. Howard, Attack surface: mitigate security risks by minimizing the code you expose to untrusted users, Microsoft MSDN Magazine, 2004.

[55]

P.K. Manadhata, J.M. Wing, An attack surface metric, IEEE Trans. Softw. Eng. 37 (2011) 371–386.

[56]

B. Alshammari, C. Fidge, D. Corney, Security metrics for object-oriented designs, in: 2010 21st Australian Software Engineering Conference (ASWEC), IEEE, 2010, pp. 55–64.

[57]

B. Alshammari, C. Fidge, D. Corney, Security metrics for object-oriented class designs, in: 9th International Conference on Quality Software, 2009. QSIC'09, IEEE, 2009, pp. 11–20.

[58]

I. Chowdhury, B. Chan, M. Zulkernine, Security metrics for source code structures, in: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, ACM, 2008, pp. 57–64.

[59]

B. Alshammari, C. Fidge, D. Corney, Security assessment of code refactoring rules, in: Proceedings of WIAR'2012; National Workshop on Information Assurance Research, VDE, 2012, pp. 1–10.

[60]

B. Alshammari, C. Fidge, D. Corney, Assessing the impact of refactoring on security-critical object-oriented designs, in: 2010 17th Asia Pacific Software Engineering Conference (APSEC), IEEE, 2010, pp. 186–195.

[61]

K.A. Ferreira, M.A. Bigonha, R.S. Bigonha, L.F. Mendes, H.C. Almeida, Identifying thresholds for object-oriented software metrics, J. Syst. Softw. 85 (2012) 244–257.

[62]

P.P. Stepan Cais, Identifying software metrics thresholds for safety critical system, in: The Third International Conference on Informatics Engineering and Information Science (ICIEIS2014), The Society of Digital Information and Wireless Communications, 2014, pp. 67–78.

[63]

D. Bhalla, Automatic Detection of Bad Smells in Java Code, California State University, Long Beach, 2009.

[64]

T. Arendt, F. Mantz, G. Taentzer, EMF refactor: specification and application of model refactorings within the Eclipse Modeling Framework, in: Proceedings of the BENEVOL Workshop, 2010.

[65]

R. Fourati, N. Bouassida, H.B. Abdallah, A metric-based approach for anti-pattern detection in uml designs, Computer and Information Science 2011, Springer, 2011, pp. 17–33.

[66]

N. Moha, Y.-G. Gueheneuc, L. Duchien, A.-F. Le Meur, DECOR: a method for the specification and detection of code and design smells, IEEE Trans. Softw. Eng. 36 (2010) 20–36.

Digital Library

[67]

A. Ghannem, M. Kessentini, G. El Boussaidi, Detecting model refactoring opportunities using heuristic search, in: Proceedings of the 2011 Conference of the Center for Advanced Studies on Collaborative Research, IBM Corp., 2011, pp. 175–187.

[68]

P. Van Gorp, H. Stenten, T. Mens, S. Demeyer, Formal UML Support for the Semi-Automatic Application of Object-Oriented Refactorings, University of Antwerp, Citeseer, 2003.

[69]

T. Ruhroth, H. Voigt, H. Wehrheim, Measure, diagnose, refactor: a formal quality cycle for software models, in: 35th Euromicro Conference on Software Engineering and Advanced Applications, 2009. SEAA'09, IEEE, 2009, pp. 360–367.

[70]

M. Saeki, H. Kaiya, Model metrics and metrics of model transformations, in: The First Workshop on Quality in Modeling, 2006, pp. 31–45.

[71]

M. Mohamed, M. Romdhani, K. Ghedira, M-REFACTOR: a new approach and tool for model refactoring, ARPN J. Syst. Softw. 1 (4) (2011) 117–122.

[72]

M. Van Kempen, M. Chaudron, D. Kourie, A. Boake, Towards proving preservation of behaviour of refactoring of UML models, in: Proceedings of the 2005 Annual Research Conference of the South African Institute of Computer Scientists and Information Technologists on IT Research in Developing Countries, South African Institute for Computer Scientists and Information Technologists, 2005, pp. 252–259.

[73]

Eclipse, Eclipse Homepage. Available: https://www.eclipse.org/, 2016 (accessed 23 February 2016).

[74]

Checkstyle. https://checkstyle.sourceforge.net/, 2016 (accessed 23 February 2016).

[75]

Décor. https://www.ptidej.net/download, 2016 (accessed 23 February 2016).

[76]

iPlasma. https://loose.upt.ro/reengineering/research/iplasma, 2016 (accessed 23 February 2016).

[77]

JDeodorant. https://github.com/tsantalis/JDeodorant, 2016 (accessed 23 February 2016).

[78]

PMD. https://pmd.sourceforge.net/, 2016 (accessed 23 February 2016).

[79]

Stench Blossom. https://github.com/DeveloperLiberationFront/refactoring-tools/wiki/Stench-Blossom, 2016 (accessed 23 February 2016).

[80]

G. Soares, R. Gheyi, T. Massoni, Automated behavioral testing of refactoring engines, IEEE Trans. Softw. Eng. 39 (2013) 147–162.

[81]

F.A. Fontana, M. Mangiacavalli, D. Pochiero, M. Zanoni, On experimenting refactoring tools to remove code smells, in: Scientific Workshop Proceedings of the XP2015, ACM, 2015, p. 7.

[82]

M. Ó Cinnéide, L. Tratt, M. Harman, S. Counsell, I. Hemati Moghadam, Experimental assessment of software metrics using automated refactoring, in: Proceedings of the ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ACM, 2012, pp. 49–58.

[83]

V. Veerappa, R. Harrison, An empirical validation of coupling metrics using automated refactoring, in: 2013 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, IEEE, 2013, pp. 271–274.

[84]

T.D. Cook, D.T. Campbell, A. Day, Quasi-Experimentation: Design & Analysis Issues for Field Settings, Houghton Mifflin, Boston, 1979.

[85]

D.T. Campbell, J.C. Stanley, Experimental and Quasi-Experimental Designs for Research, Ravenio Books, 2015.

[86]

W.H. Brown, R.C. Malveau, T.J. Mowbray, AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis, 1998.

Digital Library

Cited By

Pandiyavathi TSivakumar B(2025)Ensemble Deep Network for Secured Refactoring Framework by Predicting Code‐Bad Smells in Software ProjectsJournal of Software: Evolution and Process10.1002/smr.274937:2Online publication date: 6-Feb-2025
https://dl.acm.org/doi/10.1002/smr.2749
Edward ENyamawe AElisa N(2024)A Survey on Secure RefactoringSN Computer Science10.1007/s42979-024-03325-y5:7Online publication date: 12-Oct-2024
https://dl.acm.org/doi/10.1007/s42979-024-03325-y
Liu XChen ZQian YZhong CHuang HLi SShao D(2024)Towards a security‐optimized approach for the microservice‐oriented decompositionJournal of Software: Evolution and Process10.1002/smr.267036:10Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1002/smr.2670
Show More Cited By

Index Terms

An empirical study to improve software security through the application of code refactoring
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Software management
        Software maintenance
2. Software and its engineering
  1. Software creation and management
    1. Software development techniques
    2. Software post-development issues
  2. Software notations and tools

Index terms have been assigned to the content through auto-classification.

Recommendations

Prioritising Refactoring Using Code Bad Smells
ICSTW '11: Proceedings of the 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops

We investigated the relationship between six of Fowler et al.'s Code Bad Smells (Duplicated Code, Data Clumps, Switch Statements, Speculative Generality, Message Chains, and Middle Man) and software faults. In this paper we discuss how our results can ...
Code Bad Smells: a review of current knowledge

Fowler et al. identified 22 Code Bad Smells to direct the effective refactoring of code. These are increasingly being taken up by software engineers. However, the empirical basis of using Code Bad Smells to direct refactoring and to address ‘trouble’ in ...
The buggy side of code refactoring: understanding the relationship between refactorings and bugs
ICSE '18: Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings

Code refactoring is widely practiced by software developers. There is an explicit assumption that code refactoring improves the structural quality of a software project, thereby also reducing its bug proneness. However, refactoring is often applied with ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Information and Software Technology

Information and Software Technology Volume 96, Issue C

Apr 2018

181 pages

ISSN:0950-5849

Issue’s Table of Contents

Elsevier B.V.

Publisher

Butterworth-Heinemann

United States

Publication History

Published: 01 April 2018

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pandiyavathi TSivakumar B(2025)Ensemble Deep Network for Secured Refactoring Framework by Predicting Code‐Bad Smells in Software ProjectsJournal of Software: Evolution and Process10.1002/smr.274937:2Online publication date: 6-Feb-2025
https://dl.acm.org/doi/10.1002/smr.2749
Edward ENyamawe AElisa N(2024)A Survey on Secure RefactoringSN Computer Science10.1007/s42979-024-03325-y5:7Online publication date: 12-Oct-2024
https://dl.acm.org/doi/10.1007/s42979-024-03325-y
Liu XChen ZQian YZhong CHuang HLi SShao D(2024)Towards a security‐optimized approach for the microservice‐oriented decompositionJournal of Software: Evolution and Process10.1002/smr.267036:10Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1002/smr.2670
Liu BLiu HLi GNiu NXu ZWang YXia YZhang YJiang YChandra SBlincoe KTonella P(2023)Deep Learning Based Feature Envy Detection Boosted by Real-World ExamplesProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616353(908-920)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616353
Iannone ECodabux ZLenarduzzi VDe Lucia APalomba F(2023)Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on securityEmpirical Software Engineering10.1007/s10664-023-10287-x28:4Online publication date: 24-May-2023
https://dl.acm.org/doi/10.1007/s10664-023-10287-x
Ikegami AKula RChinthanet BMaeprasart VOuni AIshio TMatsumoto K(2022)On the Use of Refactoring in Security Vulnerability Fixes: An Exploratory Study on Maven LibrariesProceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering10.1145/3530019.3535304(288-293)Online publication date: 13-Jun-2022
https://dl.acm.org/doi/10.1145/3530019.3535304
Brown CBarwell AMarquer YZendra ORichmond TGu CAriola ZCong Y(2022)Semi-automatic ladderisation: improving code security through rewriting and dependent typesProceedings of the 2022 ACM SIGPLAN International Workshop on Partial Evaluation and Program Manipulation10.1145/3498886.3502202(14-27)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3498886.3502202
Almogahed AOmar MZakaria N(2022)Refactoring Codes to Improve Software Security RequirementsProcedia Computer Science10.1016/j.procs.2022.08.013204:C(108-115)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1016/j.procs.2022.08.013
Hannousse ANait-Hamoud MYahiouche S(2022)A deep learner model for multi-language webshell detectionInternational Journal of Information Security10.1007/s10207-022-00615-522:1(47-61)Online publication date: 18-Oct-2022
https://dl.acm.org/doi/10.1007/s10207-022-00615-5
Khan RKhan SAkbar MAlzahrani M(2022)Security risks of global software development life cycleJournal of Software: Evolution and Process10.1002/smr.252136:3Online publication date: 23-Nov-2022
https://dl.acm.org/doi/10.1002/smr.2521

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents