Using software metrics for predicting vulnerable code-components: A study on java and python open source projects

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Software vulnerabilities often remain hidden until an attacker exploits the weak/insecure code. Therefore, testing the software from a vulnerability discovery perspective becomes challenging for developers if they do not inspect their code thoroughly (which is time-consuming). We propose that vulnerability prediction using certain software metrics can support the testing process by identifying vulnerable code-components (e.g., functions, classes, etc.). Once a code-component is predicted as vulnerable, the developers can focus their testing efforts on it, thereby avoiding the time/effort required for testing the entire application. The current paper presents a study that compares how software metrics perform as vulnerability predictors for software projects developed in two different languages (Java vs Python). The goal of this research is to analyze the vulnerability prediction performance of software metrics for different programming languages. We designed and conducted experiments on security vulnerabilities reported for three Java projects (Apache Tomcat 6, Tomcat 7, Apache CXF) and two Python projects (Django and Keystone). In this paper, we focus on a specific type of code component: Functions. We apply Machine Learning models for predicting vulnerable functions. Overall results show that software metrics-based vulnerability prediction is more useful for Java projects than Python projects (i.e., software metrics when used as features were able to predict Java vulnerable functions with a higher recall and precision compared to Python vulnerable functions prediction).

Original languageEnglish
Title of host publicationProceedings - 22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019
EditorsMeikang Qiu
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages98-103
Number of pages6
ISBN (Electronic)9781728116631
DOIs
StatePublished - Aug 2019
Event22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019 - New York, United States
Duration: 1 Aug 20193 Aug 2019

Publication series

NameProceedings - 22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019

Conference

Conference22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019
CountryUnited States
CityNew York
Period1/08/193/08/19

Keywords

  • Machine learning
  • Software metrics
  • Software reliability
  • Software security
  • Vulnerability prediction

Fingerprint Dive into the research topics of 'Using software metrics for predicting vulnerable code-components: A study on java and python open source projects'. Together they form a unique fingerprint.

  • Cite this

    Chong, T. Y., Anu, V., & Sultana, K. Z. (2019). Using software metrics for predicting vulnerable code-components: A study on java and python open source projects. In M. Qiu (Ed.), Proceedings - 22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019 (pp. 98-103). [8919513] (Proceedings - 22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CSE/EUC.2019.00028