Threat Modeling Through Detection, Prevention & Classification of Leading-to-Vulnerability Code Smells (LVCs)

Code smells are usually ignored as they are neither a bug, nor a vulnerability. Quality engineers and, specially, security architects ignore them. As some of the code smells may lead towards vulnerability which may further be exploited by the hackers, therefore, such vulnerable code smells must be considered and further mitigated by threat modelers. In order to provide a repository of such code smells to security designers, a process had been devised and experimented. During the execution, various web applications had been passed through SAST and resulting code smells had been extracted and then inserted into a new dataset via Python. Later on, the code smells deposited in the dataset had been classified into various categories. Finally, machine learning algorithms had been assessed through WEKA and the fastest as well the most accurate algorithm had been selected. Current security standards do not ensure mitigation of threats caused by leading-to-vulnerability code smells, till to date. Typically, threat modelers assess security of a system through modeling threats via CIA, STRIDE and LINDDUN standards on its DFD and various architectural / infrastructural diagrams. Unless, they do not know that exploitable vulnerability still exists even after performing all secure design principles, the system would still be open to attacks. Our hypothesis was that vulnerable code smells still exist even after complying with all threat modeling standards. In the end, descriptive and inferential statistics had been used to analyse the results as well as test our hypothesis.