MSR 2020
Mon 29 - Tue 30 June 2020
co-located with ICSE 2020
Tue 30 Jun 2020 11:00 - 11:12 at MSR:Zoom2 - Security Chair(s): Dimitris Mitropoulos

Authentication is a critical security feature for confirming the identity of a system’s users, typically implemented with help from frameworks like Spring Security. It’s important to robustly test complex security features, and unit testing is an effective technique for verifying the correctness of the fine-grained behaviors of a feature. Unfortunately, resources to help developers unit test security features are limited. Most guides focus on black box or penetration testing, tests produced by existing test generation tools are difficult to maintain, and recommendation solutions usually focus on prioritization and selection of existing tests. These solutions are not applicable to developers writing new unit tests, or who want to use metrics other than coverage to track what has been tested.

In this paper, we address these issues using a grounded theory-based approach to identify common test cases for token authentication by analyzing 481 JUnit tests exercising Spring Security-based authentication implementations from 53 open source Java projects. The outcome of this study is a unit testing guide organized as a catalog of 52 test cases for token authentication, representing unique combinations of 17 scenarios, 40 conditions, and 30 expected outcomes learned from the data set in our analysis. We supplement the test guide with common test smells to avoid. To verify the accuracy and usefulness of our testing guide, we sought feedback from selected developers, some of whom authored unit tests in our dataset.

Conference Day
Tue 30 Jun

Displayed time zone: (UTC) Coordinated Universal Time change

11:00 - 12:00
SecurityData Showcase / Technical Papers at MSR:Zoom2
Chair(s): Dimitris MitropoulosAthens University of Economics and Business

Q/A & Discussion of Session Papers over Zoom (Joining info available on Slack)

11:00
12m
Live Q&A
Did You Remember To Test Your Tokens?MSR - Technical Paper
Technical Papers
Danielle GonzalezRochester Institute of Technology, USA, Michael RathTechnische Universität Ilmenau, Mehdi MirakhorliRochester Institute of Technology
DOI Pre-print Media Attached
11:12
12m
Live Q&A
Automatically Granted Permissions in Android appsMSR - Technical Paper
Technical Papers
Paolo Calciati IMDEA Software Institute, Konstantin KuznetsovSaarland University, CISPA, Alessandra GorlaIMDEA Software Institute, Andreas ZellerCISPA Helmholtz Center for Information Security
Media Attached
11:24
12m
Live Q&A
PUMiner: Mining Security Posts from Developer Question and Answer Websites with PU LearningMSR - Technical Paper
Technical Papers
Triet Le Huynh MinhThe University of Adelaide, David Hin, Roland Croft, Muhammad Ali BabarThe University of Adelaide
DOI Pre-print Media Attached
11:36
12m
Live Q&A
A C/C++ Code Vulnerability Dataset with Code Changes and CVE SummariesMSR - Data Showcase
Data Showcase
A: Jiahao FanNew Jersey Institute of Technology, USA, A: Yi LiNew Jersey Institute of Technology, USA, A: Shaohua WangNew Jersey Institute of Technology, USA, A: Tien N. NguyenUniversity of Texas at Dallas
Media Attached
11:48
12m
Live Q&A
The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSLMSR - Technical Paper
Technical Papers
James WaldenNorthern Kentucky University
Pre-print Media Attached