{"id":"https://openalex.org/W4399460644","doi":"https://doi.org/10.1007/s10664-024-10496-y","title":"Toward effective secure code reviews: an empirical study of security-related coding weaknesses","display_name":"Toward effective secure code reviews: an empirical study of security-related coding weaknesses","publication_year":2024,"publication_date":"2024-06-08","ids":{"openalex":"https://openalex.org/W4399460644","doi":"https://doi.org/10.1007/s10664-024-10496-y"},"language":"en","primary_location":{"id":"doi:10.1007/s10664-024-10496-y","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-024-10496-y","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-024-10496-y.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10664-024-10496-y.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5071326125","display_name":"Wachiraphan Charoenwet","orcid":"https://orcid.org/0000-0002-9814-3514"},"institutions":[{"id":"https://openalex.org/I165779595","display_name":"The University of Melbourne","ror":"https://ror.org/01ej9dk98","country_code":"AU","type":"education","lineage":["https://openalex.org/I165779595"]}],"countries":["AU"],"is_corresponding":true,"raw_author_name":"Wachiraphan Charoenwet","raw_affiliation_strings":["School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia"],"affiliations":[{"raw_affiliation_string":"School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia","institution_ids":["https://openalex.org/I165779595"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040320723","display_name":"Patanamon Thongtanunam","orcid":"https://orcid.org/0000-0001-6328-8839"},"institutions":[{"id":"https://openalex.org/I165779595","display_name":"The University of Melbourne","ror":"https://ror.org/01ej9dk98","country_code":"AU","type":"education","lineage":["https://openalex.org/I165779595"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Patanamon Thongtanunam","raw_affiliation_strings":["School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia"],"affiliations":[{"raw_affiliation_string":"School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia","institution_ids":["https://openalex.org/I165779595"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5056177929","display_name":"Van-Thuan Pham","orcid":"https://orcid.org/0000-0002-9871-3695"},"institutions":[{"id":"https://openalex.org/I165779595","display_name":"The University of Melbourne","ror":"https://ror.org/01ej9dk98","country_code":"AU","type":"education","lineage":["https://openalex.org/I165779595"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Van-Thuan Pham","raw_affiliation_strings":["School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia"],"affiliations":[{"raw_affiliation_string":"School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia","institution_ids":["https://openalex.org/I165779595"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5077658936","display_name":"Christoph Treude","orcid":"https://orcid.org/0000-0002-6919-2149"},"institutions":[{"id":"https://openalex.org/I165779595","display_name":"The University of Melbourne","ror":"https://ror.org/01ej9dk98","country_code":"AU","type":"education","lineage":["https://openalex.org/I165779595"]},{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["AU","SG"],"is_corresponding":false,"raw_author_name":"Christoph Treude","raw_affiliation_strings":["School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia","School of Computing and Information Systems, Singapore Management University, Singapore, Singapore"],"affiliations":[{"raw_affiliation_string":"School of Computing and Information Systems, Faculty of Engineering and Information Technology, The University of Melbourne, Melbourne, Australia","institution_ids":["https://openalex.org/I165779595"]},{"raw_affiliation_string":"School of Computing and Information Systems, Singapore Management University, Singapore, Singapore","institution_ids":["https://openalex.org/I79891267"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5071326125"],"corresponding_institution_ids":["https://openalex.org/I165779595"],"apc_list":{"value":2290,"currency":"EUR","value_usd":2890},"apc_paid":{"value":2290,"currency":"EUR","value_usd":2890},"fwci":6.1234,"has_fulltext":false,"cited_by_count":8,"citation_normalized_percentile":{"value":0.96305534,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":"29","issue":"4","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9944000244140625,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.9923999905586243,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.8075512647628784},{"id":"https://openalex.org/keywords/code-review","display_name":"Code review","score":0.7868471741676331},{"id":"https://openalex.org/keywords/strengths-and-weaknesses","display_name":"Strengths and weaknesses","score":0.7060798406600952},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.671806812286377},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5328341722488403},{"id":"https://openalex.org/keywords/coding","display_name":"Coding (social sciences)","score":0.45743873715400696},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.43989020586013794},{"id":"https://openalex.org/keywords/empirical-research","display_name":"Empirical research","score":0.42709988355636597},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.4163632392883301},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.3957075774669647},{"id":"https://openalex.org/keywords/static-program-analysis","display_name":"Static program analysis","score":0.2940948009490967},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.22302454710006714},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.20855456590652466},{"id":"https://openalex.org/keywords/psychology","display_name":"Psychology","score":0.12086072564125061},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.09081262350082397},{"id":"https://openalex.org/keywords/sociology","display_name":"Sociology","score":0.07366561889648438},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.07053345441818237}],"concepts":[{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.8075512647628784},{"id":"https://openalex.org/C150292731","wikidata":"https://www.wikidata.org/wiki/Q1342704","display_name":"Code review","level":5,"score":0.7868471741676331},{"id":"https://openalex.org/C63882131","wikidata":"https://www.wikidata.org/wiki/Q17122954","display_name":"Strengths and weaknesses","level":2,"score":0.7060798406600952},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.671806812286377},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5328341722488403},{"id":"https://openalex.org/C179518139","wikidata":"https://www.wikidata.org/wiki/Q5140297","display_name":"Coding (social sciences)","level":2,"score":0.45743873715400696},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.43989020586013794},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.42709988355636597},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.4163632392883301},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.3957075774669647},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.2940948009490967},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.22302454710006714},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.20855456590652466},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.12086072564125061},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.09081262350082397},{"id":"https://openalex.org/C144024400","wikidata":"https://www.wikidata.org/wiki/Q21201","display_name":"Sociology","level":0,"score":0.07366561889648438},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.07053345441818237},{"id":"https://openalex.org/C36289849","wikidata":"https://www.wikidata.org/wiki/Q34749","display_name":"Social science","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C77805123","wikidata":"https://www.wikidata.org/wiki/Q161272","display_name":"Social psychology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1007/s10664-024-10496-y","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-024-10496-y","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-024-10496-y.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1007/s10664-024-10496-y","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10664-024-10496-y","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10664-024-10496-y.pdf","source":{"id":"https://openalex.org/S109852484","display_name":"Empirical Software Engineering","issn_l":"1382-3256","issn":["1382-3256","1573-7616"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Empirical Software Engineering","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320320974","display_name":"University of Melbourne","ror":"https://ror.org/01ej9dk98"}],"has_content":{"grobid_xml":false,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4399460644.pdf"},"referenced_works_count":51,"referenced_works":["https://openalex.org/W1967446222","https://openalex.org/W1979503333","https://openalex.org/W1986222079","https://openalex.org/W1997548934","https://openalex.org/W1999067077","https://openalex.org/W2015696622","https://openalex.org/W2024635814","https://openalex.org/W2036487649","https://openalex.org/W2053154970","https://openalex.org/W2111998194","https://openalex.org/W2112736324","https://openalex.org/W2125279207","https://openalex.org/W2139092060","https://openalex.org/W2142245496","https://openalex.org/W2147386665","https://openalex.org/W2148854374","https://openalex.org/W2169090130","https://openalex.org/W2283315146","https://openalex.org/W2294407885","https://openalex.org/W2348249338","https://openalex.org/W2387719207","https://openalex.org/W2401113443","https://openalex.org/W2528913414","https://openalex.org/W2563377808","https://openalex.org/W2724265843","https://openalex.org/W2759187825","https://openalex.org/W2884229567","https://openalex.org/W2894722607","https://openalex.org/W2911282308","https://openalex.org/W3022160310","https://openalex.org/W3048508766","https://openalex.org/W3082547986","https://openalex.org/W3082737479","https://openalex.org/W3088043671","https://openalex.org/W3160070616","https://openalex.org/W3161576608","https://openalex.org/W3162923072","https://openalex.org/W3163812320","https://openalex.org/W3175279244","https://openalex.org/W3217134235","https://openalex.org/W4225693846","https://openalex.org/W4235786747","https://openalex.org/W4236176675","https://openalex.org/W4246032972","https://openalex.org/W4256657178","https://openalex.org/W4285490477","https://openalex.org/W4294214983","https://openalex.org/W4301142158","https://openalex.org/W4310563050","https://openalex.org/W4352977288","https://openalex.org/W4377100930"],"related_works":["https://openalex.org/W2141388993","https://openalex.org/W1978034799","https://openalex.org/W2999607548","https://openalex.org/W2292865721","https://openalex.org/W1986222079","https://openalex.org/W2956597637","https://openalex.org/W2044639210","https://openalex.org/W4319165526","https://openalex.org/W4388185423","https://openalex.org/W4293023587"],"abstract_inverted_index":{"Abstract":[0],"Identifying":[1],"security":[2,32,56,109,146,195,224],"issues":[3,33,57,196],"early":[4],"is":[5,19],"encouraged":[6],"to":[7,26,124,143,165,194],"reduce":[8],"the":[9,14,139,212],"latent":[10],"negative":[11],"impacts":[12],"on":[13,46,99],"software":[15,36],"systems.":[16],"Code":[17],"review":[18,42,102,179,209],"a":[20,35,153],"widely-used":[21],"method":[22],"that":[23,58,106,172,186],"allows":[24],"developers":[25],"manually":[27],"inspect":[28],"modified":[29],"code,":[30],"catching":[31],"during":[34,197],"development":[37],"cycle.":[38],"However,":[39,200],"existing":[40],"code":[41,63,68,101,178,198,208,228],"studies":[43],"often":[44,137],"focus":[45],"known":[47],"vulnerabilities,":[48,126],"neglecting":[49],"coding":[50,73,116,121,173,191],"weaknesses,":[51],"which":[52],"can":[53,175,188],"introduce":[54],"real-world":[55],"are":[59,75],"more":[60,215],"visible":[61],"through":[62,177],"review.":[64],"The":[65],"practices":[66],"of":[67,114,223],"reviews":[69],"in":[70,90,111,148,206,227],"identifying":[71],"such":[72,127],"weaknesses":[74,122,174,192],"not":[76],"yet":[77],"fully":[78],"investigated.":[79],"To":[80],"better":[81],"understand":[82],"this,":[83],"we":[84,104],"conducted":[85],"an":[86],"empirical":[87],"case":[88],"study":[89],"two":[91],"large":[92],"open-source":[93],"projects,":[94],"OpenSSL":[95],"and":[96,131,160],"PHP.":[97],"Based":[98],"135,560":[100],"comments,":[103],"found":[105],"reviewers":[107,187],"raised":[108,145],"concerns":[110,147],"35":[112],"out":[113],"40":[115],"weakness":[117],"categories.":[118],"Surprisingly,":[119],"some":[120,161],"related":[123],"past":[125],"as":[128],"memory":[129],"errors":[130],"resource":[132],"management,":[133],"were":[134],"discussed":[135],"less":[136],"than":[138],"vulnerabilities.":[140],"Developers":[141],"attempted":[142],"address":[144],"many":[149],"cases":[150],"(39%-41%),":[151],"but":[152],"substantial":[154],"portion":[155],"was":[156],"merely":[157],"acknowledged":[158],"(30%-36%),":[159],"went":[162],"unfixed":[163],"due":[164],"disagreements":[166],"about":[167],"solutions":[168],"(18%-20%).":[169],"This":[170],"highlights":[171],"slip":[176],"even":[180],"when":[181],"identified.":[182],"Our":[183],"findings":[184],"suggest":[185],"identify":[189],"various":[190],"leading":[193],"reviews.":[199,229],"these":[201],"results":[202],"also":[203],"reveal":[204],"shortcomings":[205],"current":[207],"practices,":[210],"indicating":[211],"need":[213],"for":[214,220],"effective":[216],"mechanisms":[217],"or":[218],"support":[219],"increasing":[221],"awareness":[222],"issue":[225],"management":[226]},"counts_by_year":[{"year":2026,"cited_by_count":5},{"year":2025,"cited_by_count":3}],"updated_date":"2026-04-09T08:11:56.329763","created_date":"2025-10-10T00:00:00"}