Information and Software Technology最新文献

{"title":"Beyond domain dependency in security requirements identification","authors":"Francesco Casillo,&nbsp;Vincenzo Deufemia,&nbsp;Carmine Gravino","doi":"10.1016/j.infsof.2025.107702","DOIUrl":"10.1016/j.infsof.2025.107702","url":null,"abstract":"<div><h3>Context:</h3><div>Early security requirements identification is crucial in software development, facilitating the integration of security measures into IT networks and reducing time and costs throughout software life-cycle.</div></div><div><h3>Objectives:</h3><div>This paper addresses the limitations of existing methods that leverage Natural Language Processing (NLP) and machine learning techniques for detecting security requirements. These methods often fall short in capturing syntactic and semantic relationships, face challenges in adapting across domains, and rely heavily on extensive domain-specific data. In this paper we focus on identifying the most effective approaches for this task, highlighting both domain-specific and domain-independent strategies.</div></div><div><h3>Method:</h3><div>Our methodology encompasses two primary streams of investigation. First, we explore shallow machine learning techniques, leveraging word embeddings. We test ensemble methods and grid search within and across domains, evaluating on three industrial datasets. Next, we develop several domain-independent models based on BERT, tailored to better detect security requirements by incorporating data on software weaknesses and vulnerabilities.</div></div><div><h3>Results:</h3><div>Our findings reveal that ensemble and grid search methods prove effective in domain-specific and domain-independent experiments, respectively. However, our custom BERT models showcase domain independence and adaptability. Notably, the CweCveCodeBERT model excels in Precision and F1-score, outperforming existing approaches significantly. It improves F1-score by <span><math><mo>∼</mo></math></span>3% and Precision by <span><math><mo>∼</mo></math></span>14% over the best approach currently in the literature.</div></div><div><h3>Conclusion:</h3><div>BERT-based models, especially with specialized pre-training, show promise for automating security requirement detection. This establishes a foundation for software engineering researchers and practitioners to utilize advanced NLP to improve security in early development phases, fostering the adoption of these state-of-the-art methods in real-world scenarios.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107702"},"PeriodicalIF":3.8,"publicationDate":"2025-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143680934","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Requirements engineering for no-code development (RE4NCD): Case studies of rapid application development during crisis","authors":"Meira Levy ,&nbsp;Irit Hadar","doi":"10.1016/j.infsof.2025.107724","DOIUrl":"10.1016/j.infsof.2025.107724","url":null,"abstract":"<div><h3>Context</h3><div>In recent years, a new development approach has emerged, for rapid application development (RAD) supported by platforms that enable low or no-code development (NCD). This approach is designed for developers with limited or no coding expertise and for achieving a very short time-to-deployment. The requirements engineering (RE) and design phases are typically omitted during RAD, thus posing challenges in ensuring a rigorous, sustainable, and flexible application.</div></div><div><h3>Objective</h3><div>To propose an RE method for NCD (RE4NCD) that would respect the limitations in which NCD is conducted yet ensure more rigorous development and outcome.</div></div><div><h3>Method</h3><div>A participatory case study aimed to explore RAD processes as performed with the \"Monday\" NCD platform and, accordingly, to develop the RE4NCD method. This study was followed by multiple (non-participatory) case studies for the refinement and validation of the proposed method. All case studies focused on civilian management systems that were developed rapidly during a time of war and included qualitative data collection and thematic analysis.</div></div><div><h3>Results</h3><div>The thematic analysis resulted in categories of RE activities to be included in the RE4NCD method, leading to its construction in the first case study, and its refinement and validation in the follow-up case studies.</div></div><div><h3>Conclusion</h3><div>The paper highlights the theoretical and practical implications of RE4NCD, underscoring the potential transformative impact of NCD on the software development industry. It also proposes future research aimed at refining and validating the RE4NCD method, tracking the adoption and evolution of applications in diverse organizations, and applying the method to additional case studies for evaluation and validation.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107724"},"PeriodicalIF":3.8,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143680937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Dynamic information utilization for securing Ethereum smart contracts: A literature review","authors":"Tianyuan Hu ,&nbsp;Bixin Li","doi":"10.1016/j.infsof.2025.107719","DOIUrl":"10.1016/j.infsof.2025.107719","url":null,"abstract":"<div><div>Smart contracts, self-executing programs that govern digital assets on blockchain platforms, have gained widespread adoption due to their automation and transparency. However, vulnerabilities in smart contracts can lead to financial losses and reputational damage, making their security a critical concern. Static code auditing methods are prone to false positives and false negatives, as they fail to account for real-time execution conditions. The integration of dynamic information offers a promising avenue for addressing these limitations and enhancing smart contract security. Ethereum, the most widely used blockchain platform, provides a wealth of publicly available data and has attracted significant attention from researchers due to its security problems. This paper presents a systematic mapping study focused on Ethereum, reviewing the existing literature on the use of dynamic information for enhancing the security of smart contracts. It offers a comprehensive overview of security problems, dynamic information types, technical approaches, and validation methods. Furthermore, we examine the implications and limitations of current research and propose future directions for further exploration in the field of Ethereum smart contract protection.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107719"},"PeriodicalIF":3.8,"publicationDate":"2025-03-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143629118","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A software vulnerability detection method based on multi-modality with unified processing","authors":"Wenjing Cai ,&nbsp;Junlin Chen ,&nbsp;Jiaping Yu ,&nbsp;Wei Hu ,&nbsp;Lipeng Gao","doi":"10.1016/j.infsof.2025.107703","DOIUrl":"10.1016/j.infsof.2025.107703","url":null,"abstract":"<div><div>With the development of the Internet and the Internet of Things, software has become an indispensable part, making software vulnerabilities one of the main threats to computer security. In recent years, a multitude of deep learning-based software vulnerability detection methods have been proposed, especially those based on multimodal approaches. Although these multimodal methods have proven to be effective, they often treat each modality separately. We propose a novel multimodal deep learning method for software vulnerability detection that achieves unified processing of various modalities. This method uses complex network analysis to convert the Code Property Graph into an image-like matrix, obtains key fragments from the source code using code slicing, and then uses a Transformer for function-level vulnerability detection. This enables deeper integration of information from multiple modalities, enhancing detection accuracy. Additionally, it significantly simplifies the model architecture. The result shows that compared to the state-of-the-art methods, our method has improved accuracy by 3%. Furthermore, our approach is capable of detecting some of the vulnerabilities recently released by CVE.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107703"},"PeriodicalIF":3.8,"publicationDate":"2025-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143637461","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Fairness-aware practices from developers’ perspective: A survey","authors":"Gianmario Voria,&nbsp;Giulia Sellitto,&nbsp;Carmine Ferrara,&nbsp;Francesco Abate,&nbsp;Andrea De Lucia,&nbsp;Filomena Ferrucci,&nbsp;Gemma Catolino,&nbsp;Fabio Palomba","doi":"10.1016/j.infsof.2025.107710","DOIUrl":"10.1016/j.infsof.2025.107710","url":null,"abstract":"<div><h3>Context:</h3><div>Machine Learning (ML) technologies have shown great promise in many areas, but when used without proper oversight, they can produce biased results that discriminate against historically underrepresented groups. In recent years, the software engineering research community has contributed to addressing the need for ethical machine learning by proposing a number of fairness-aware practices, e.g., fair data balancing or testing approaches, that may support the management of fairness requirements throughout the software lifecycle. Nonetheless, the actual validity of these practices, in terms of practical application, impact, and effort, from the developers’ perspective has not been investigated yet.</div></div><div><h3>Objective:</h3><div>This paper addresses this limitation, assessing the developers’ perspective of a set of 28 fairness practices collected from the literature.</div></div><div><h3>Methods:</h3><div>We perform a survey study involving 155 practitioners who have been working on the development and maintenance of ML-enabled systems, analyzing the answers via statistical and clustering analysis to group fairness-aware practices based on their application frequency, impact on bias mitigation, and effort required for their application.</div></div><div><h3>Results:</h3><div>While all the practices are deemed relevant by developers, those applied at the early stages of development appear to be the most impactful. More importantly, the effort required to implement the practices is average and sometimes high, with a subsequent average application.</div></div><div><h3>Conclusion:</h3><div>The findings highlight the need for effort-aware automated approaches that ease the application of the available practices, as well as recommendation systems that may suggest when and how to apply fairness-aware practices throughout the software lifecycle.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107710"},"PeriodicalIF":3.8,"publicationDate":"2025-03-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143593490","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Unveiling security weaknesses in autonomous driving systems: An in-depth empirical study","authors":"Wenyuan Cheng ,&nbsp;Zengyang Li ,&nbsp;Peng Liang ,&nbsp;Ran Mo ,&nbsp;Hui Liu","doi":"10.1016/j.infsof.2025.107709","DOIUrl":"10.1016/j.infsof.2025.107709","url":null,"abstract":"<div><h3>Context:</h3><div>The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust.</div></div><div><h3>Objective:</h3><div>This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS.</div></div><div><h3>Methods:</h3><div>We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research.</div></div><div><h3>Results:</h3><div>Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance.</div></div><div><h3>Conclusions:</h3><div>These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities. Meanwhile, proactive protection strategies, such as regular update of third-party libraries, are essential to improve ADS security. And regulatory bodies can play a crucial role in promoting the use of static code analysis tools and setting industry security standards.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107709"},"PeriodicalIF":3.8,"publicationDate":"2025-03-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143593491","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"JIT-CF: Integrating contrastive learning with feature fusion for enhanced just-in-time defect prediction","authors":"Xiaolin Ju ,&nbsp;Yi Cao ,&nbsp;Xiang Chen ,&nbsp;Lina Gong ,&nbsp;Vaskar Chakma ,&nbsp;Xin Zhou","doi":"10.1016/j.infsof.2025.107706","DOIUrl":"10.1016/j.infsof.2025.107706","url":null,"abstract":"<div><h3>Context:</h3><div>Just-in-time defect prediction (JIT-DP) is a crucial process in software development that focuses on identifying potential defects during code changes, facilitating early mitigation and quality assurance. Pre-trained language models like CodeBERT have shown promise in various applications but often struggle to distinguish between defective and non-defective code, especially when dealing with noisy labels.</div></div><div><h3>Objective:</h3><div>The primary aim of this study is to enhance the robustness of pre-trained language models in identifying software defects by developing an innovative framework that leverages contrastive learning and feature fusion.</div></div><div><h3>Method:</h3><div>We introduce JIT-CF, a framework that improves model robustness by employing contrastive learning to maximize similarity within positive pairs and minimize it between negative pairs, thereby enhancing the model’s ability to detect subtle differences in code changes. Additionally, feature fusion is used to combine semantic and expert features, enabling the model to capture richer contextual information. This integrated approach aims to improve the identification and resolution of code defects.</div></div><div><h3>Results:</h3><div>JIT-CF was evaluated using the JIT-Defects4J dataset, which includes 23,379 code commits from 21 projects. The results indicate substantial performance improvements over seven state-of-the-art baselines, with enhancements of up to 13.9% in F1-score, 8% in AUC, and 11% in Recall@20%E. The study also explores the impact of specific customization enhancements, demonstrating the potential for improved just-in-time defect localization.</div></div><div><h3>Conclusion:</h3><div>The proposed JIT-CF framework significantly advances the field of just-in-time defect prediction by effectively addressing the challenges encountered by pre-trained models in distinguishing code defects. The integration of contrastive learning and feature fusion not only enhances the model’s robustness but also leads to notable improvements in prediction accuracy, offering valuable insights for future applications in software development.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107706"},"PeriodicalIF":3.8,"publicationDate":"2025-03-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143577972","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A review of backdoor attacks and defenses in code large language models: Implications for security measures","authors":"Yubin Qu ,&nbsp;Song Huang ,&nbsp;Peng Nie","doi":"10.1016/j.infsof.2025.107707","DOIUrl":"10.1016/j.infsof.2025.107707","url":null,"abstract":"<div><h3>Context:</h3><div>Large Language Models (LLMS) have revolutionized software engineering by bridging human language understanding and complex problem solving. However, resource constraints often lead users to rely on open-source models or third-party platforms for training and prompt engineering, introducing significant security vulnerabilities.</div></div><div><h3>Objective:</h3><div>This study provides a comprehensive analysis of backdoor attacks targeting LLMS in software engineering, with a particular focus on fine-tuning methods. Our work addresses a critical gap in existing literature by proposing a novel three-category framework for backdoor attacks: full-parameter fine-tuning, parameter-efficient fine-tuning, and no-tuning attacks.</div></div><div><h3>Methods:</h3><div>We systematically reviewed existing studies and analyzed attack success rates across different methods. Full-parameter fine-tuning generally achieves high success rates but requires significant computational resources. Parameter-efficient fine-tuning offers comparable success rates with lower resource demands, while no-tuning attacks exhibit variable success rates depending on prompt design, posing unique challenges due to their minimal resource requirements.</div></div><div><h3>Results:</h3><div>Our findings underscore the evolving landscape of backdoor attacks, highlighting the shift towards more resource-efficient and stealthy methods. These trends emphasize the need for advanced detection mechanisms and robust defense strategies.</div></div><div><h3>Conclusion:</h3><div>By focusing on code-specific threats, this study provides unique insights into securing LLMS in software engineering. Our work lays the foundation for future research on developing sophisticated defense mechanisms and understanding stealthy backdoor attacks.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107707"},"PeriodicalIF":3.8,"publicationDate":"2025-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143562207","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cascading failure prediction and recovery in large-scale critical infrastructure networks: A survey","authors":"Beibei Li,&nbsp;Wei Hu,&nbsp;Chaoxuan Yuan,&nbsp;Xinxin Wang,&nbsp;Yiwei Li,&nbsp;Yibing Wu","doi":"10.1016/j.infsof.2025.107705","DOIUrl":"10.1016/j.infsof.2025.107705","url":null,"abstract":"<div><h3>Context:</h3><div>Large-scale critical infrastructure (CI) networks are crucial to society but prone to cascading failures due to their dynamic and interconnected characteristics. Recent research focuses on their reliability, using network theories and real-world data to develop recovery functions and crash warning indicators.</div></div><div><h3>Objective:</h3><div>This review evaluates cascading failure prediction and recovery trends, examines verification methods, and addresses challenges in enhancing network reliability and topology recovery within CI systems.</div></div><div><h3>Methods:</h3><div>A comprehensive survey explores cascading failure prediction and recovery from two perspectives: inter-network and inter-module structures. It summarizes recent research trends, common verification platforms, and datasets for predicting and recovering from cascading failures.</div></div><div><h3>Results:</h3><div>The review focuses on low-dimensional static networks, revealing significant challenges in dynamic environments. It underscores the necessity for improved recovery techniques and enhanced network reliability.</div></div><div><h3>Conclusion:</h3><div>This article identifies future research directions and unresolved issues by analyzing existing work in cascading failure prediction and recovery. Understanding cascading failure mechanisms aims to inspire the design of more resilient and reliable network systems, contributing to developing cohesive and low-coupling CI systems.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107705"},"PeriodicalIF":3.8,"publicationDate":"2025-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143550405","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Investigating the relationship between coordination strategy and coordination effectiveness in agile software development projects","authors":"Geetha Kanaparan ,&nbsp;Diane E. Strode","doi":"10.1016/j.infsof.2025.107708","DOIUrl":"10.1016/j.infsof.2025.107708","url":null,"abstract":"<div><h3>Context</h3><div>Agile software development (ASD) provides a way to coordinate teams and projects. Coordination is achieved by adopting a set of agile practices; however, these agile practices may differ for each project. The chosen assemblage of practices can be considered an agile project coordination strategy. The current body of knowledge about coordinative practices and theories of coordination in ASD is almost exclusively based on case studies. A validated model is currently lacking.</div></div><div><h3>Objective</h3><div>The objective is to validate a theoretical model to explain coordination in ASD, particularly the relationship between coordination strategy and coordination effectiveness.</div></div><div><h3>Method</h3><div>We validate this relationship based on an international survey of 340 agile practitioners and use PLS-SEM to estimate the relationships.</div></div><div><h3>Results</h3><div>The results show that an agile coordination strategy, that includes synchronisation, structure, and boundary-spanning, has a positive relationship with coordination effectiveness (implicit and explicit). Customer involvement moderates the relationship between coordination strategy and coordination effectiveness. These results are primarily supported by evidence from virtual work arrangements.</div></div><div><h3>Conclusion</h3><div>This research provides a validated coordination theory and information on what agile practices are related to effective coordination in agile software development. This coordination theory can be used to investigate coordination in future agile method variants used in system and software development projects.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"182 ","pages":"Article 107708"},"PeriodicalIF":3.8,"publicationDate":"2025-03-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143593482","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}