Is complexity really the enemy of software security?

Shin, Yonghee; Williams, Laurie

doi:10.1145/1456362.1456372

Cited by 101 publications

(67 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They were able to identify 45% of all of the vulnerable components in Mozilla. Shin and Williams [27] found a weak correlation (0.2) between complexity and security vulnerabilities in Mozilla, indicating that complexity contributes to security problems, but is not the only factor. We also found a 0.2 correlation between file coupling and vulnerability counts in a large telecommunications system [10].…”

Section: Vulnerability-and Attack-prone Component Predictionsmentioning

confidence: 99%

Toward Non-security Failures as a Predictor of Security Faults and Failures

Gegick

Rotella

Williams

2009

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. In the search for metrics that can predict the presence of vulnerabilities early in the software life cycle, there may be some benefit to choosing metrics from the non-security realm. We analyzed non-security and security failure data reported for the year 2007 of a Cisco software system. We used non-security failure reports as input variables into a classification and regression tree (CART) model to determine the probability that a component will have at least one vulnerability. Using CART, we ranked all of the system components in descending order of their probabilities and found that 57% of the vulnerable components were in the top nine percent of the total component ranking, but with a 48% false positive rate. The results indicate that nonsecurity failures can be used as one of the input variables for security-related prediction models.

show abstract

Section: Vulnerability-and Attack-prone Component Predictionsmentioning

confidence: 99%

Toward Non-security Failures as a Predictor of Security Faults and Failures

Gegick

Rotella

Williams

2009

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Although it is a relatively new area of research, a great number of VPMs has already been proposed in the related literature. As stated in [9], the main VPMs that can be found in the literature utilize software metrics [13][14][15][16][17][18][19][20][21][22], text mining [23][24][25][26][27][28], and security-related static analysis alerts [10,[29][30][31][32]] to predict vulnerabilities. These types of VPMs are analyzed in the rest of this section.…”

Section: Vulnerability Prediction Modelingmentioning

confidence: 99%

“…Shin and Williams [13,14] were the first to investigate the ability of software metrics, particularly complexity metrics, to predict vulnerabilities in software products. Several regression models were built based on different subsets of the studied metrics in order to discriminate between vulnerable and non-vulnerable (i.e.…”

Section: Vulnerability Prediction Modelingmentioning

confidence: 99%

Static Analysis-Based Approaches for Secure Software Development

Siavvas

Gelenbe

Kehagias

et al. 2018

Communications in Computer and Information Science

View full text Add to dashboard Cite

Abstract. Software security is a matter of major concern for software development enterprises that wish to deliver highly secure software products to their customers. Static analysis is considered one of the most effective mechanisms for adding security to software products. The multitude of static analysis tools that are available provide a large number of raw results that may contain security-relevant information, which may be useful for the production of secure software. Several mechanisms that can facilitate the production of both secure and reliable software applications have been proposed over the years. In this paper, two such mechanisms, particularly the vulnerability prediction models (VPMs) and the optimum checkpoint recommendation (OCR) mechanisms, are theoretically examined, while their potential improvement by using static analysis is also investigated. In particular, we review the most significant contributions regarding these mechanisms, identify their most important open issues, and propose directions for future research, emphasizing on the potential adoption of static analysis for addressing the identified open issues. Hence, this paper can act as a reference for researchers that wish to contribute in these subfields, in order to gain solid understanding of the existing solutions and their open issues that require further research.

show abstract

“…Shin and Williams [13] investigated the relationship between classical complexity metrics and vulnerabilities. Shin and Williams performed an empirical case study on the JavaScript Engine in the Mozilla application framework and discovered that nine complexity measures such as McCabe's cyclomatic complexity and nesting are weakly correlated with the number of vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

“…Recent usage statistics indicate that 30% of web applications are implemented using PHP, which is more than any other framework 13 . We were also interested in controlling language-dependent factors of our analysis since we are not interested in comparing programming languages in terms of their security.…”

Section: Selecting the Study Subjectsmentioning

confidence: 99%