TY - GEN
T1 - Towards a software vulnerability prediction model using traceable code patterns and software metrics
AU - Sultana, Kazi Zakia
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/11/20
Y1 - 2017/11/20
N2 - Software security is an important aspect of ensuring software quality. The goal of this study is to help developers evaluate software security using traceable patterns and software metrics during development. The concept of traceable patterns is similar to design patterns but they can be automatically recognized and extracted from source code. If these patterns can better predict vulnerable code compared to traditional software metrics, they can be used in developing a vulnerability prediction model to classify code as vulnerable or not. By analyzing and comparing the performance of traceable patterns with metrics, we propose a vulnerability prediction model. This study explores the performance of some code patterns in vulnerability prediction and compares them with traditional software metrics. We use the findings to build an effective vulnerability prediction model. We evaluate security vulnerabilities reported for Apache Tomcat, Apache CXF and three stand-alone Java web applications. We use machine learning and statistical techniques for predicting vulnerabilities using traceable patterns and metrics as features. We found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics.
AB - Software security is an important aspect of ensuring software quality. The goal of this study is to help developers evaluate software security using traceable patterns and software metrics during development. The concept of traceable patterns is similar to design patterns but they can be automatically recognized and extracted from source code. If these patterns can better predict vulnerable code compared to traditional software metrics, they can be used in developing a vulnerability prediction model to classify code as vulnerable or not. By analyzing and comparing the performance of traceable patterns with metrics, we propose a vulnerability prediction model. This study explores the performance of some code patterns in vulnerability prediction and compares them with traditional software metrics. We use the findings to build an effective vulnerability prediction model. We evaluate security vulnerabilities reported for Apache Tomcat, Apache CXF and three stand-alone Java web applications. We use machine learning and statistical techniques for predicting vulnerabilities using traceable patterns and metrics as features. We found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics.
UR - http://www.scopus.com/inward/record.url?scp=85041452101&partnerID=8YFLogxK
U2 - 10.1109/ASE.2017.8115724
DO - 10.1109/ASE.2017.8115724
M3 - Conference contribution
AN - SCOPUS:85041452101
T3 - ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering
SP - 1022
EP - 1025
BT - ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering
A2 - Nguyen, Tien N.
A2 - Rosu, Grigore
A2 - Di Penta, Massimiliano
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017
Y2 - 30 October 2017 through 3 November 2017
ER -