Mapping the field of software life cycle security metrics

Morrison, Patrick; Moye, David; Pandita, Rahul; Williams, Laurie

doi:10.1016/j.infsof.2018.05.011

Cited by 44 publications

(34 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…express purpose of helping to answer the research questions at hand but can also facilitate verifiability of the procedure. A welldesigned data extraction form can even be made publicly available in conjunction with a publication (Morrison et al, 2018), to stimulate further research based on the results.…”

Section: Data Extraction and Synthesismentioning

confidence: 99%

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

Haastrecht

Sarhan

Özkan

et al. 2021

Front. Res. Metr. Anal.

View full text Add to dashboard Cite

Research output has grown significantly in recent years, often making it difficult to see the forest for the trees. Systematic reviews are the natural scientific tool to provide clarity in these situations. However, they are protracted processes that require expertise to execute. These are problematic characteristics in a constantly changing environment. To solve these challenges, we introduce an innovative systematic review methodology: SYMBALS. SYMBALS blends the traditional method of backward snowballing with the machine learning method of active learning. We applied our methodology in a case study, demonstrating its ability to swiftly yield broad research coverage. We proved the validity of our method using a replication study, where SYMBALS was shown to accelerate title and abstract screening by a factor of 6. Additionally, four benchmarking experiments demonstrated the ability of our methodology to outperform the state-of-the-art systematic review methodology FAST2.

show abstract

Section: Data Extraction and Synthesismentioning

confidence: 99%

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

Haastrecht

Sarhan

Özkan

et al. 2021

Front. Res. Metr. Anal.

View full text Add to dashboard Cite

show abstract

“…Rahman et al [14] studied 32 publications related to infrastructure as code (IaC) [13] and observed that research in IaC was mostly focused on implementing or extending the practice of IaC. Morrison et al [17] performed a mapping study on 71 papers and reported 324 unique software life cycle security metrics. For each metric, they also identified the subject being measured, how the metric had been validated, and how the metric was used.…”

Section: Related Workmentioning

confidence: 99%

Security Bug Report Usage for Software Vulnerability Research: A Systematic Mapping Study

Bhuiyan¹,

Sharif²,

Rahman³

2021

IEEE Access

View full text Add to dashboard Cite

Context: Security bug reports are reports from bug tracking systems that include descriptions and resolutions of security vulnerabilities that occur in software projects. Researchers use security bug reports to conduct research related to software vulnerabilities. A mapping study of publications that use security bug reports can inform researchers on (i) the research topics that have been investigated, and (ii) potential research avenues in the field of software vulnerabilities. Objective: The objective of this paper is to help researchers identify research gaps related to software vulnerabilities by conducting a systematic mapping study of research publications that use security bug reports. Method: We perform a systematic mapping study of research that use security bug reports for software vulnerability research by searching five scholar databases: (i) IEEE Xplore, (ii) ACM Digital Library, (iii) ScienceDirect, (iv) Wiley Online Library, and (v) Springer Link. From the five scholar databases, we select 46 publications that use security bug reports by systematically applying inclusion and exclusion criteria. Using qualitative analysis, we identify research topics investigated in our collected set of publications. Results: We identify three research topics that are investigated in our set of 46 publications. The three topics are: (i) vulnerability classification; (ii) vulnerability report summarization; and (iii) vulnerability dataset construction. Of the studied 46 publications, 42 publications focus on vulnerability classification. Conclusion: Findings from our mapping study can be leveraged to identify research opportunities in the domains of software vulnerability classification and automated vulnerability repair techniques.

show abstract

“…Our results do not support the belief that practical experience always makes a better cybersecurity expert than formal education. Still Morrison et al have a second recent survey (Morrison et al 2018), this time on security metrics and considering scientific papers, that reveals an unsatisfactory scenario for what concerns the analysis criteria of software vulnerabilities. In the survey, the authors called Incident metric the one related to vulnerabilities and found that papers could be divided in two subgroups: those that focused on quantifying vulnerabilities, a goal more difficult than it may look like (Geer 2015) and a bad inference method to evaluate risk, and those that discussed CVSS.…”

Section: Related Workmentioning

confidence: 99%

“…In this work, we focus on vulnerability assessment as a part of the overall cybersecurity risk assessment process (ISO 2008) and the use of metrics in the security development lifecycle (Morrison et al 2018). Our overall goal is studying to what extent the overall accuracy of the assessment of software vulnerabilities according to a technical methodology depend on the assessor's background knowledge and expertise (MSc students and security professionals).…”

Section: Introductionmentioning

confidence: 99%

Measuring the accuracy of software vulnerability assessments: experiments with students and professionals

et al. 2020

View full text Add to dashboard Cite

Assessing the risks of software vulnerabilities is a key process of software development and security management. This assessment requires to consider multiple factors (technical features, operational environment, involved assets, status of the vulnerability lifecycle, etc.) and may depend from the assessor's knowledge and skills. In this work, we tackle with an important part of this problem by measuring the accuracy of technical vulnerability assessments by assessors with different level and type of knowledge. We report an experiment to compare how accurately students with different technical education and security professionals are able to assess the severity of software vulnerabilities with the Common Vulnerability Scoring System (v3) industry methodology. Our results could be useful for increasing awareness about the intrinsic subtleties of vulnerability risk assessment and possibly better compliance with regulations. With respect to academic education, professional training and human resources selections our work suggests that measuring the effects of knowledge and expertise on the accuracy of software security assessments is feasible albeit not easy.

show abstract

Mapping the field of software life cycle security metrics

Cited by 44 publications

References 7 publications

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

SYMBALS: A Systematic Review Methodology Blending Active Learning and Snowballing

Security Bug Report Usage for Software Vulnerability Research: A Systematic Mapping Study

Measuring the accuracy of software vulnerability assessments: experiments with students and professionals

Contact Info

Product

Resources

About