Security and quality: Two sides of the same coin?

Abstract

Poor software quality may hinder future extensions to software code. In contrast to functional bugs, such hidden issues are not immediately visible to developers and users, and the software may still be fully usable. Consequently, developers are not forced to fix these issues, not even to investigate them. Security vulnerabilities are hidden isssues as well. However, they can put systems and users' data at risk and lead to financial losses as well as liability and fines under data protection acts. Therefore, from a risk minimization perspective, avoiding security issues may seem more critical than avoiding quality issues when dealing with limited development resources. In this paper, we show that both types of hidden issues are correlated. Our study of more than 400 real-world Android apps shows that apps with a high number of quality issues are likely to also have a higher number of security vulnerabilities. We argue that security and quality issues should be seen as two sides of the same coin. We investigate which types of quality problems correlate with which types of security issues and give insights into potential causes.