ABSTRACT
Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. We create predictive models to identify which components are likely to have the most security risk. Software engineers can use these models to make measurement-based risk management decisions and to prioritize software security fortification efforts, such as redesign and additional inspection and testing. We mined and analyzed data from a large commercial telecommunications software system containing over one million lines of code that had been deployed to the field for two years. Using recursive partitioning, we built attack-prone prediction models with the following code-level metrics: static analysis tool alert density, code churn, and count of source lines of code. One model identified 100% of the attack-prone components (40% of the total number of components) with an 8% false positive rate. As such, the model could be used to prioritize fortification efforts in the system.
- S. Barnum and M. Gegick, "Design Principles," https://buildsecurityin.us--cert.gov/portal/article/knowledge/Principles, 2005.Google Scholar
- V. Basili, L. Briand, and W. Melo, "A Validation of Object Oriented Design Metrics as Quality Indicators," IEEE Transactions on Software Engineering, vol. 22, no. 10, pp. 751--761, 1996. Google ScholarDigital Library
- P. Chandra, B. Chess, and J. Steven, "Putting the Tools to Work: How to Succeed with Source Code Analysis," IEEE Security & Privacy, vol. 4, no. 3, pp. 80--83, May/June, 2006. Google ScholarDigital Library
- R. A. DeMillo, R. J. Lipton, and F. G. Sayward, "Hints on test data selection: Help for the practicing programmer," IEEE Computer, vol. 11, no. 4, pp. 34--41, April, 1978. Google ScholarDigital Library
- G. Denaro, "Estimating software fault--proneness for tuning testing activities," International Conference on Software Engineering, St. Malo, France, pp. 269--280, 2000. Google ScholarDigital Library
- E. Dijkstra, Structured Programming, Brussels, Belgium, 1970.Google Scholar
- M. Gegick and L. Williams, "Toward the Use of Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components," First International Workshop on Systems Vulnerabilities (SYVUL'07) Santa Clara, CA, July 1--6 2007.Google Scholar
- T. Hastie, R. Tibshirani, and J. H. Friedman, The Elements of Statistical Learning, New York, Springer, 2001.Google Scholar
- S. Heckman and L. Williams, "Automated adaptive ranking and filtering of static analysis alerts," Fast abstract at the International Symposium on Software Reliability Engineering, Raleigh, NC, November 2006.Google Scholar
- ISO, "ISO/IEC DIS 14598--1 Information Technology - Software Product Evaluation - Part 1: General Overview," October 28 1996.Google Scholar
- ISO/IEC 24765, "Software and Systems Engineering Vocabulary," 2006.Google Scholar
- T. M. Khoshgoftaar, E. B. Allen, J. P. Hudepohl, and W. Jones, "Classification Tree Models of Software Quality over Multiple Releases," 10th International Symposium on Software Reliability Engineering, pp. 116--125, 1999. Google ScholarDigital Library
- I. Krsul, "Software Vulnerability Analysis," PhD Thesis in Computer Science at Purdue University, West Lafayette 1998. Google ScholarDigital Library
- R. J. Lipton and F. G. Sayward, "The Status of Research on Program Mutation," In Digest for the Workshop on Software Testing and Test Documentation, pp. 355--373, December 1978.Google Scholar
- J. Munson and T. Khoshgoftaar, "The Detection of Fault-Prone Programs," IEEE Transactions on Software Engineering, vol. 18, no. 5, pp. 423--433, 1992. Google ScholarDigital Library
- N. Nagappan and T. Ball, "Static Analysis Tools as Early Indicators of Pre-release Defect Density," International Conference on Software Engineering, St. Louis, MO, pp. 580--586, 2005. Google ScholarDigital Library
- N. Nagappan and T. Ball, "Use of Relative Code Churn Measures to Predict Defect Density," International Conference on Software Engineering, St. Louis, MO, pp. 284--292, 15--21 May 2005. Google ScholarDigital Library
- S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, "Predicting Vulnerable Software Components," Computer and Communications Security, Alexandria, VA, pp. 529--540, 29 October--2 November 2007. Google ScholarDigital Library
- A. J. Offutt, "The Coupling Effect: Fact or Fiction?," International Symposium on Software Testing and Analysis, Key West, Florida, pp. 131--140, 1989. Google ScholarDigital Library
- T. J. Ostrand, E. J. Weyuker, and R. M. Bell, "Where the bugs are," International Symposium on Software Testing and Analysis, Boston, Massachusetts, pp. 86--96, 2004. Google ScholarDigital Library
- V. Prevelakis and D. Spinellis, "The Athens Affair," IEEE Spectrum, vol. 44, no. 7, pp. 26--33, July, 2007. Google ScholarDigital Library
- A. Schroter, T. Zimmermann, and A. Zeller, "Predicting Component Failures at Design Time," International Symposium on Empirical Software Engineering, Rio de Janeiro, Brazil, pp. 18--27, September 21--22 2006. Google ScholarDigital Library
- J. Zheng, L. Williams, W. Snipes, N. Nagappan, J. Hudepohl, and M. Vouk, "On the Value of Static Analysis Tools for Fault Detection," IEEE Transactions on Software Engineering, vol. 32, no. 4, pp. 240--253, April 2006. Google ScholarDigital Library
Index Terms
- Prioritizing software security fortification throughcode-level metrics
Recommendations
Security metrics for software systems
ACM-SE 47: Proceedings of the 47th Annual Southeast Regional ConferenceSecurity metrics for software products provide quantitative measurement for the degree of trustworthiness for software systems. This paper proposes a new approach to define software security metrics based on vulnerabilities included in the software ...
Predicting Attack-prone Components
ICST '09: Proceedings of the 2009 International Conference on Software Testing Verification and ValidationLimited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. This limitation necessitates security risk management where security efforts are prioritized to the highest risk vulnerabilities that cause ...
Comments