Kazi Zakia Sultana

Bio: Kazi Zakia Sultana is an academic researcher from Montclair State University. The author has contributed to research in topics: Software security assurance & Software quality. The author has an hindex of 8, co-authored 33 publications receiving 313 citations. Previous affiliations of Kazi Zakia Sultana include Chittagong University of Engineering & Technology & Mississippi State University.

Diversity and Inclusion in Open Source Software (OSS) Projects: Where Do We Stand?

Abstract: Background: As the area of computing has thrived over the years, the participation of women in computing declined. Currently women represent less than 24% of the computing workforce and that number is declining. On the other hand, the ratios of women in Open Source Software (OSS) projects are even lower.Aims: The primary objective of this study is to determine the level of gender diversity among popular OSS projects and identify the presence of gender biases that may discourage females’ participation.Method: On this goal, we mined the code review repositories of ten popular OSS projects. We used a semi-automated approach followed by a manual validation to identify the genders of the active contributors.Results: Our results suggest that lack of gender diversity remains an ongoing issue among all the ten projects as each of the projects had less than 10% female developers. However, many of the projects also suffer from lack of inclusion of females to leadership positions. Although none of the projects suggest significant differences between male and female developers in terms of productivity based on three different measures, data from three out of the ten projects indicate technical biases against female developers with lower code acceptance rates as well as delayed feedback during code reviews. However, biases against females are not universal as majority of the projects do not discriminate against females. The two projects with the least ratios of female contributors as core developers showed the most biases against females.Conclusion: Based on our findings, we conclude that promoting and mentoring females to leadership positions may be an effective solution to foster gender diversity.

Expressions of Sentiments during Code Reviews: Male vs. Female

Abstract: As most of the software development organizations are male-dominated, many female developers encounter negative workplace experiences and report feeling like they “do not belong”. Exposures to discriminatory expletives or negative critiques from their male colleagues may further exacerbate those feelings. The primary goal of this study is to identify the differences in expressions of sentiments between male and female developers during various software engineering tasks. On this goal, we mined the code review repositories of six popular open source projects. We used a semi-automated approach leveraging the name as well as multiple social networks to identify the gender of a developer. Using SentiSE, a customized and state-of-the-art sentiment analysis tool for the software engineering domain, we classify each communication as negative, positive, or neutral. We also compute the frequencies of sentiment words, emoticons, and expletives used by each developer.Our results suggest that the likelihood of using sentiment words, emoticons, and expletives during code reviews varies based on the gender of a developer, as females are significantly less likely to express sentiments than males. Although female developers were more neutral to their male colleagues than to another female, male developers from three out of the six projects were not only writing more frequent negative comments but also withholding positive encouragements from their female counterparts. Our results provide empirical evidence of another factor behind the negative work place experiences encountered by the female developers that may be contributing to the diminishing number of females in the SE industry.

Using software metrics for predicting vulnerable classes and methods in Java projects: A machine learning approach

Abstract: [Context]A software vulnerability becomes harmful for software when an attacker successfully exploits the insecure code and reveals the vulnerability. A single vulnerability in code can put the entire software at risk. Therefore, maintaining software security throughout the software life cycle is an important and at the same time challenging task for development teams. This can also leave the door open for vulnerable code being evolved during successive releases. In recent years, researchers have used software metrics‐based vulnerability prediction approaches to detect vulnerable code early and ensure secure code releases. Software metrics have been employed to predict vulnerability specifically in C/C++ and Java‐based systems. However, the prediction performance of metrics at different granularity levels (class level or method level) has not been analyzed. In this paper, we focused on metrics that are specific to lower granularity levels (Java classes and methods). Based on statistical analysis, we first identified a set of class‐level metrics and a set of method‐level metrics and then employed them as features in machine learning techniques to predict vulnerable classes and methods, respectively. This paper describes a comparative study on how our selected metrics perform at different granularity levels. Such a comparative study can help the developers in choosing the appropriate metrics (at the desired level of granularity). [Objective] The goal of this research is to propose a set of metrics at two lower granularity levels and provide evidence for their usefulness during vulnerability prediction (which will help in maintaining secure code and ensure secure software evolution). [Method] For four Java‐based open source systems (including two releases of Apache Tomcat), we designed and conducted experiments based on statistical tests to propose a set of software metrics that can be used for predicting vulnerable code components (i.e., vulnerable classes and methods). Next, we used our identified metrics as features to train supervised machine learning algorithms to classify Java code as vulnerable or non‐vulnerable. [Result] Our study has successfully identified a set of class‐level metrics and a second set of method‐level metrics that can be useful from a vulnerability prediction standpoint. We achieved recall higher than 70% and precision higher than 75% in vulnerability prediction using our identified class‐level metrics as features of machine learning. Furthermore, method‐level metrics showed recall higher than 65% and precision higher than 80%.

Correlation Analysis among Java Nano-Patterns and Software Vulnerabilities

Abstract: Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.

State of the art automated black-box web application vulnerability testing

Abstract: Black-box web application vulnerability scanners are automated tools that probe web applications for security vulnerabilities In order to assess the current state of the art, we obtained access to eight leading tools and carried out a study of: (i) the class of vulnerabilities tested by these scanners, (ii) their effectiveness against target vulnerabilities, and (iii) the relevance of the target vulnerabilities to vulnerabilities found in the wild To conduct our study we used a custom web application vulnerable to known and projected vulnerabilities, and previous versions of widely used web applications containing known vulnerabilities Our results show the promise and effectiveness of automated tools, as a group, and also some limitations In particular, "stored" forms of Cross Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities are not currently found by many tools Because our goal is to assess the potential of future research, not to evaluate specific vendors, we do not report comparative data or make any recommendations about purchase of specific tools