MSR4P&S 2022

1st International Workshop @ ESEC/FSE 2022 (Singapore)

Theme & Goals

SUBMISSION DEADLINE EXTENDED: JULY 31st (anywhere on earth), 2022

The last decades have put Privacy and Security (P&S) in the spotlight of information technology as data breaches and cyberattacks have spiked globally. Still, P&S are often afterthoughts in software development as their benefits are sometimes difficult to demonstrate and their costs hard to justify [6,8]. However, such technical debt is becoming hard to sustain as new legal frameworks, such as the EU General Data Protection Regulation (GDPR), demand companies to incorporate P&S features (e.g., transparency, anonymity, and informed consent) at the core of their products [6]. Hence, there is an urgent call for tools and methods supporting the elicitation and deployment of P&S requirements in by-design approach.

P&S are multifaceted and complex research areas spanning across different knowledge domains (e.g., engineering, law, and psychology) [1,5]. Challenges in P&S cannot be solely addressed from a single discipline as they often involve human factors, technological artefacts, and regulatory/legal frameworks [3,9]. Particularly, the quest for P&S solutions requires in-deep knowledge and actionable information about its users/stakeholders, vulnerabilities/flaws, and potential attackers [4,5].

Mining Software Repositories (MSR) techniques can support this quest by providing means to understand the P&S dimensions of information systems, thus help shaping privacy- and security-friendly software. This workshop aims to explore the application of MSR at the different stages of P&S engineering [2,7].

Topics of Interest

For this, we invite MSR researchers and practitioners across multiple disciplines and knowledge backgrounds to submit contributions dealing with the following (or related) topics:

MSR applications for security risk assessment
MSR applications for privacy requirements engineering
MSR applications for security vulnerabilities detection
Engineering PETs through MSR methodologies
Privacy-Enhancing Technologies through MSR
MSR-based research for safety/security by design
Privacy-friendly MSRs (including mixed-methods)
MSR-based mixed-methods on P&S research
Privacy requirements in MSR-based research
Integrating MSRs into P&S research (empirical)
Analysis of repositories to mine for P&S research
Tools supporting MSR-based research for P&S
Datasets used for MSR-based research for P&S
MSR applications to P&S assurance

Any paper within the scope of the workshop will be considered. Additionally, this year we specially welcome submissions elaborating on MSR for the analysis and extraction of privacy and security anti-patterns–namely, solutions that demonstrate knowledge of poor development practices.

Submission Guidelines

Workshop papers must follow the ESEC/FSE 2022 Format and Submission Guidelines. The workshop follows a double-blind peer review process, aligned with ESEC/FSE’s Double-Blind Review Process' policies. Papers submitted must not reveal the authors’ identities in any way, omitting the names from the submission and referring to self-citations in the third person. The only exception will be dataset and tools papers, which will employ an optional single-blind review process.

All submitted papers will be reviewed regarding technical quality, relevance, significance, and clarity by the program committee. All workshop papers should be submitted electronically in PDF format through the workshop website (ACM Format, Double Columns). Accepted papers will become part of the workshop proceedings.

The workshop welcomes the following types of submissions:

Regular Papers: up to eight pages, including references. It must describe original contributions in research and/or practice. Although they can be work-in-progress, the authors must present a clear path forward. These will be given a 15-minute presentation during the workshop.
Short Papers: up to four pages, including references. It welcomes position papers, experience reports, work-in-progress, new trends papers, industrial reports, datasets and tools. These will be given a 7-minutes presentation during the workshop.

SUBMIT

Important Dates

The following are submission and workshop dates for all types of submissions:

Event	Deadline
Paper Submission	~~July 24th, 2022~~ July 31st, AoE
Main Track Author Notification	~~August 15th, 2022~~
Camera Ready	~~August 29th, 2022~~
Date of Workshop	November 18th, 2022

Program Committee

The Organising Committee thanks the following generous individuals below:

Reviewer	Organisation	Twitter
Muhammad Ikram	Macquarie University	@midkhan
Tosin Daniel Oyetoyan	Western Norway University
Daniela Cruzes	NTNU	@dscruzes
Vahideh Moghtadaiee	Shahid Beheshti University
Sascha Fahl	CISPA	@sascha_fahl
Natalia Stakhanova	University of Saskatchewan	@nstakhanova
Kazi Zakia Sultana	Montclair State University
Diego Costa	Concordia University	@DiegoEliasCosta
Clemente Izurieta	Montana State University
Max Young	Mississippi State University
Mariana Peixoto	Federal University of Pernambuco
Jose del Alamo	Universidad Politécnica de Madrid
Gabriel Pedroza	CEA LIST
Triet Le	University of Adelaide, CREST	@lhmtriet
Maritta Heisal	University Duisburg-Essen
Nicola Zanone	Eindhoven University of Technology

Workshop Program

Times are in Singapore Time (SGT, GMT+8). Please remember to convert to your timezone.

Time	Title	Who
9:00am	Welcome	MSR2P&S Organisers
9:10am	Opening Keynote	Prof. Ali Babar (introduced by N. Diaz-Ferreyra)
10:00am	Break
10:30am	Session 1: Assessing Privacy	W1, W2 (Chair: Z. Codabux)
11:00am	Session 2: Vulnerabilities	W3, W4, W5 (Chair: M. Vidoni)
12:00pm	Closing, End of MSR2P&S	MSR2P&S Organisers

Keynote: MSR for Security–Data Quality Issues, Lessons from Trenches

Software repositories are an attractive source of data for understanding the burning security issues challenging developers, anecdotal solutions, and building AI/ML-based models and tools. That is why there is exponential growth in the literature based on mining software repositories for software security. While the abundance of freely available data for research is a fortune, the data quality issues can make software repositories minefields capable of blowing any time and effort budget for a project. Our group has been active in this area for the last few years to develop knowledge, understanding, and tools for improving software security by mining repositories. Through a mix of successful and failed efforts, we have experienced firsthand what is called “garbage in, garbage out” due to poor data quality. Without fully appreciating the data quality issues, starting a data-driven software security project can be frustrating and disheartening for a research team. We believe engaging the relevant stakeholders in developing and sharing knowledge and technologies to improve software security data quality is crucial. To this end, we are not only systematically identifying and synthesizing the existing empirical literature on improving data quality but also devising innovative solutions for addressing the data quality challenges while mining software repositories for software security. This talk will draw lessons and recommendations from our efforts of systematically reviewing the state-of-the-art and developing solutions for improving data quality while building knowledge, understanding, and tools for supporting software security. The talk will use a selected set of our studies to demonstrate the concrete cases of the challenges faced and the used workarounds to successfully continue our journey of learning and improving in this line of research and practice.

M. Ali Babar is a Professor in the School of Computer Science, University of Adelaide, Australia. He leads a theme on architecture and platform for security as service in CyberSecurity Cooperative Research Centre, a large initiative funded by the Australian government, industry, and research institutes. Prior to joining the University of Adelaide, he was a Reader in Software Engineering with the School of Computing and Communication at Lancaster University, UK. After joining the University of Adelaide, Prof Babar established an interdisciplinary research centre called CREST (Centre for Research on Engineering Software Technologies), where he directs the research and education activities of more than 30 researchers and engineers in the areas of Software Systems Engineering, Security and Privacy, and Social Computing. Professor Babar’s research team draws a significant amount of cash funding and in-kind resources from governmental and industrial organisations. Professor Babar has authored/co-authored more than 270 peer-reviewed research papers at premier Software journals and conferences. Professor Babar obtained a Ph.D. in Computer Science and Engineering from the school of computer science and engineering of University of New South Wales, Australia. He also holds a M.Sc. degree in Computing Sciences from University of Technology, Sydney, Australia.

Accepted Papers

For speaker information, see ESEC/FSE’s Information.

#	Authors	Title/Preprint Link
W1	Samiha Shimmi, Mona Rahimi	Software Repositories for Patternizing Attack-and-Defense Co-Evolution.
W2	Feiyang Tang, Bjarte M. Østvold	Assessing Software Privacy using the Privacy Flow-Graph
W3	Sahrima Jannat Oishwee, Zadia Codabux, Natalia Stakhanova	An Exploratory Study on the Relationship of Smells and Design Issues with Software Vulnerabilities
W4	Joanna Cecilia da Silva Santos, Xueling Zhang, Mehdi Mirakhorli	Counterfeit-Object Oriented Programming Vulnerabilities: An Empirical Study in Java
W5	Mohammed Latif Siddiq, Joanna Cecilia da Silva Santos	SecurityEval Dataset: Mining Vulnerability Examples to Evaluate Machine Learning-Based Code Generation Techniques [ Preprint ]

References

Kathrin Bednar, Sarah Spiekermann, and Marc Langheinrich. “Engineering Privacy by Design: Are Engineers Ready to Live Up to the Challenge?” The Information Society. Vol 35, 3. (2019), 122–142. DOI: 10.1080/01972243.2019.1583296
Seyed Mohammad Ghaffarian and Hamid Reza Shahriari. “Software Vulnerability Analysis and Discovery Using Machine-Learning and Datamining Techniques: A survey”. ACM Computing Surveys (CSUR). Vol 50, 4. (2017), 1–36. DOI 10.1145/3092566
Seda Gürses and Jose M Del Alamo. “Privacy Engineering: Shaping An Emerging Field of Research and Practice”. IEEE Security & Privacy. Vol 14, 2 (2016), 40–46. DOI: 10.1109/MSP.2016.37
Phu X Mai, Arda Goknil, Lwin Khin Shar, Fabrizio Pastore, Lionel C Briand, and Shaban Shaame. “Modeling Security and privacy Requirements: A Use Case-driven Approach”. Information and Software Technology. Vol. 100 (2018), 165–182. DOI: 10.1016/j.infsof.2018.04.007.
Yod-Samuel Martin and Antonio Kung. “Methods and Tools for GDPR Compliance Through Privacy and Data Protection Engineering”. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, pp108–111. DOI: 10.1109/EuroSPW.2018.00021.
Kalle Rindell, Karin Bernsmed, and Martin Gilje Jaatun. “Managing Security In Software: Or: How I Learned to Stop Worrying and Manage the Security Technical Debt”. In 14th International Conference on Availability, Reliability and Security. pp1–8. DOI: 10.1145/3339252.3340338.
Alireza Sadeghi, Naeem Esfahani, and Sam Malek. “Mining the Categorized Software Repositories to Improve the Analysis of Security Vulnerabilities”. In International Conference on Fundamental Approaches to Software Engineering. Springer, pp155–169. DOI: 10.1007/978-3-642-54804-8_11.
Miltiadis Siavvas, Dimitrios Tsoukalas, Marija Jankovic, Dionysios Kehagias, Alexander Chatzigeorgiou, Dimitrios Tzovaras, Nenad Anicic, and Erol Gelenbe. “An Empirical Evaluation of the Relationship Between Technical Debt and Software Security”. In 9th International Conference on Information Society and Technology (ICIST). Vol. 2019. DOI: 10.5281/zenodo.3374712.
Sven Türpe. “The Trouble with Security Requirements”. In IEEE 25th International Requirements Engineering Conference (RE). IEEE, pp122–133. DOI: 10.1109/RE.2017.13.