Predicting vulnerable software components

Neuhaus, Stephan; Zimmermann, Thomas; Holler, Christian; Zeller, Andreas

doi:10.1145/1315245.1315311

Cited by 332 publications

(230 citation statements)

References 32 publications

Supporting

Mentioning

215

Contrasting

Order By: Relevance

“…For these case studies, we analyzed the Trac issue reports for two open source web applications, WordPress 8 and WikkaWiki 9 . Trac is a web-based issue management system, similar to Bugzilla …”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities

Smith

Williams

2011

2011 Fourth IEEE International Conference on Software Testing, Verification and Validation

View full text Add to dashboard Cite

show abstract

Section: Methodsmentioning

confidence: 99%

“…Nehaus et al [9] use their tool, Vulture, to predict vulnerable software components in versions of the Mozilla web browser. They demonstrate that vulnerabilities correlate with component imports and that component imports in the Mozilla web browser can be used to consistently and accurately predict vulnerable components.…”

Section: Related Workmentioning

confidence: 99%

Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities

Smith

Williams

2011

2011 Fourth IEEE International Conference on Software Testing, Verification and Validation

View full text Add to dashboard Cite

show abstract

“…Neuhaus et al studied Mozilla vulnerabilities in order to predict so far unknown vulnerabilities [11] and Schryen studies many OSS projects in order to find out whether open-source security is a myth [19].…”

Section: Related Workmentioning

confidence: 99%

Software Security Economics: Theory, in Practice

Neuhaus

Plattner

2013

The Economics of Information Security and Privacy

Self Cite

View full text Add to dashboard Cite

In economic models of cybersecurity, security investment yields positive, but diminishing, returns. If that were true for software vulnerabilities, fix rates should decrease, whereas the time between successive fixes should go up as vulnerabilities become fewer and harder to fix.In this work, we examine the empirical evidence for this hypothesis for Mozilla, Apache httpd and Apache Tomcat over the last years. By looking at 292 vulnerability reports for Mozilla, 66 for Apache, and 21 for Tomcat, we find that the number of people committing vulnerability fixes changes proportionally to the number of vulnerability fixes for Mozilla and Tomcat, but not for Apache httpd.Our findings do not support the hypothesis that vulnerability fix rates decline. It seems as if the supply of easily fixable vulnerabilities is not running out and returns are not diminishing (yet).Additionally, software security has traditionally been viewed as an arms race between an attackers and defenders. Recent work in an unrelated field has produced precise mathematical models for such arms races, but again, the evidence we find is scant and does not support the hypothesis of an arms race (of this kind).

show abstract

“…To support this process, researchers have developed vulnerability prediction models, which guide security inspections, such as code reviews [2] or security testing [5], by pointing out components that are likely to be vulnerable [7]. In fact, there are three main approaches, here named as software metrics [8], text mining [7] and includes and function calls [9].…”

Section: Introductionmentioning

confidence: 99%

“…The majority of previous research, i.e., [7], [9], [8], seeks to predict the vulnerable source code files. This choice was confirmed as actionable by Microsoft Windows developers [10] and thus, we make our evaluation at the file granularity level.…”

Section: Introductionmentioning

confidence: 99%

Vulnerability Prediction Models: A Case Study on the Linux Kernel

Jiménez

Papadakis

Traon

2016

2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM)

View full text Add to dashboard Cite

Abstract-To assist the vulnerability identification process, researchers proposed prediction models that highlight (for inspection) the most likely to be vulnerable parts of a system. In this paper we aim at making a reliable replication and comparison of the main vulnerability prediction models. Thus, we seek for determining their effectiveness, i.e., their ability to distinguish between vulnerable and non-vulnerable components, in the context of the Linux Kernel, under different scenarios. To achieve the above-mentioned aims, we mined vulnerabilities reported in the National Vulnerability Database and created a large dataset with all vulnerable components of Linux from 2005 to 2016. Based on this, we then built and evaluated the prediction models. We observe that an approach based on the header files included and on function calls performs best when aiming at future vulnerabilities, while text mining is the best technique when aiming at random instances. We also found that models based on code metrics perform poorly. We show that in the context of the Linux kernel, vulnerability prediction models can be superior to random selection and relatively precise. Thus, we conclude that practitioners have a valuable tool for prioritizing their security inspection efforts.

show abstract

Predicting vulnerable software components

Cited by 332 publications

References 32 publications

Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities

Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities

Software Security Economics: Theory, in Practice

Vulnerability Prediction Models: A Case Study on the Linux Kernel

Contact Info

Product

Resources

About