ABSTRACT
Complexity is often hypothesized to be the enemy of software security. If this hypothesis is true, complexity metrics may be used to predict the locale of security problems and can be used to prioritize inspection and testing efforts. We performed statistical analysis on nine complexity metrics from the JavaScript Engine in the Mozilla application framework to find differences in code metrics between vulnerable and nonvulnerable code and to predict vulnerabilities. Our initial results show that complexity metrics can predict vulnerabilities at a low false positive rate, but at a high false negative rate.
- Basili, V. R., Briand, L. C., and Melo, W. L., "A Validation of Object-Oriented Design Metrics as Quality Indicators," IEEE Transactions on Software Engineering, vol. 22, no.10, pp. 751--761, October, 1996. Google ScholarDigital Library
- Boehm, B. W., Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall Inc., 1981. Google ScholarDigital Library
- McCabe, T. J., "A Complexity Measure," IEEE Transactions on Software Engineering, vol. 2, no. 4, pp. 308--320, 1976. Google ScholarDigital Library
- McGraw, G., Software Security: Building Security In. Boston, NY: Addison-Wesley, 2006. Google ScholarDigital Library
- Nagappan, N., Ball, T., and Zeller, A., "Mining Metrics to Predict Component Failures," in Proceedings of Proceedings of the 28th international conference on Software engineering Shanghai, China, May 20-28, 2006, pp. 452--461. Google ScholarDigital Library
- Ott, R. L. and Longnecker, M., An Introduction to Statistical Methods and Data Analysis, 5th edition: Duxbury, 2001. Google ScholarDigital Library
- Viega, J. and Mcgraw, G., Building Secure Software. Boston, NY: Addison-Wesley, 2002.Google Scholar
Index Terms
- An empirical model to predict security vulnerabilities using code complexity metrics
Recommendations
Evaluating and comparing complexity, coupling and a new proposed set of coupling metrics in cross-project vulnerability prediction
SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied ComputingSoftware security is an important concern in the world moving towards Information Technology. Detecting software vulnerabilities is a difficult and resource consuming task. Therefore, automatic vulnerability prediction would help development teams to ...
An initial study on the use of execution complexity metrics as indicators of software vulnerabilities
SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure SystemsAllocating code inspection and testing resources to the most problematic code areas is important to reduce development time and cost. While complexity metrics collected statically from software artifacts are known to be helpful in finding vulnerable ...
An empirical validation of object-oriented class complexity metrics and their ability to predict error-prone classes in highly iterative, or agile, software: a case study
Empirical studies have shown complexity metrics to be good predictors of testing effort and maintainability in traditional, imperative programming languages. Empirical validation studies have also shown that complexity is a good predictor of initial ...
Comments