Tool to improve software security in code review

Advantages

MultiDiff’s initial application is geared to reducing security defects. MultiDiff will enable developer to produce robust code that is less vulnerable.

Technology Details

Software developers are often expected to perform all tasks associated with building a software product. Those developers performing code review must judge whether a proposed change in software’s source code should be accepted and integrated into the master copy or rejected. Understanding the effects of the proposed source code changes and identifying defects is challenging for developers. Large software projects are those most likely to use a code review process but the complexity of these large projects makes the code review process difficult. Current code review processes mostly show the developer changes in the actual code without providing information on how the changes propagate in the master code or how the code will behave if the changes are accepted.

UBC researchers are developing a novel code review tool called MultiDiff, for automatically detecting security-relevant changes that should be reviewed before being integrated into the software product. MultiDiff tracks changes in syntax and structure of the project code that originate from the proposed source code changes, revealing additional layers of insight to developers. Specifically, changes in control flow, value flow and variable names are highlighted to the developer in a user-friendly manner and their relationship to the proposed source code changes is explained. This additional insight enables improved code review and reduces the number of defects in the master copy.