Toward Non-security Failures as a Predictor of Security Faults and Failures

Gegick, Michael; Rotella, Pete; Williams, Laurie

doi:10.1007/978-3-642-00199-4_12

Cited by 19 publications

(17 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The weaker metrics have less significant splits, although the p-values are below 0.05, than the strongly-correlated metric. However, our observations in [12], and in comparison of the results presented here with those in [13], we find that weaklycorrelated metrics can lead to more splits than strongly-correlated metrics, and that many splits can yield good separation between attack-prone and not attack-prone components. …”

Section: Predictive Modelssupporting

confidence: 59%

See 1 more Smart Citation

Predicting Attack-prone Components

Gegick

Rotella

Williams

2009

2009 International Conference on Software Testing Verification and Validation

Self Cite

View full text Add to dashboard Cite

show abstract

Section: Predictive Modelssupporting

confidence: 59%

“…We do not restrict our metrics to the security realm, however. Our prior work [9,12,13] indicates that non-security failures are positively correlated with security failures, and we therefore do not exclude non-security warnings as candidate metrics.…”

Section: Candidate Metricsmentioning

confidence: 99%

Predicting Attack-prone Components

Gegick

Rotella

Williams

2009

2009 International Conference on Software Testing Verification and Validation

Self Cite

View full text Add to dashboard Cite

show abstract

“…Gegick et al [14] investigated whether non-security failure reports could be used to predict whether a given component is vulnerable. In the context of a Cisco software system, the authors found a 0.4 correlation between security faults and non-security failures.…”

Section: Vulnerability Prediction Modelsmentioning

confidence: 99%

Predicting Vulnerable Software Components via Text Mining

Scandariato

Walden

Hovsepyan

et al. 2014

IIEEE Trans. Software Eng.

281

186

View full text Add to dashboard Cite

This paper presents an approach based on machine learning to predict which components of a software application contain security vulnerabilities. The approach is based on text mining the source code of the components. Namely, each component is characterized as a series of terms contained in its source code, with the associated frequencies. These features are used to forecast whether each component is likely to contain vulnerabilities. In an exploratory validation with 20 Android applications, we discovered that a dependable prediction model can be built. Such model could be useful to prioritize the validation activities, e.g., to identify the components needing special scrutiny.

show abstract

“…Gegick et al used code-level metrics such as lines of code, code churn, and number of static tool alerts [8] as well as past non-security faults [7] to predict security faults. In the most recent work, Gegick et al achieved a precision of 0.52 and a recall of 0.57.…”

Section: Related Workmentioning

confidence: 99%

Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista

Zimmermann

Nagappan

Williams

2010

2010 Third International Conference on Software Testing, Verification and Validation

Self Cite

166

106

View full text Add to dashboard Cite

Abstract-Many factors are believed to increase the vulnerability of software system; for example, the more widely deployed or popular is a software system the more likely it is to be attacked. Early identification of defects has been a widely investigated topic in software engineering research. Early identification of software vulnerabilities can help mitigate these attacks to a large degree by focusing better security verification efforts in these components. Predicting vulnerabilities is complicated by the fact that vulnerabilities are, most often, few in number and introduce significant bias by creating a sparse dataset in the population. As a result, vulnerability prediction can be thought of us preverbally "searching for a needle in a haystack." In this paper, we present a large-scale empirical study on Windows Vista, where we empirically evaluate the efficacy of classical metrics like complexity, churn, coverage, dependency measures, and organizational structure of the company to predict vulnerabilities and assess how well these software measures correlate with vulnerabilities. We observed in our experiments that classical software measures predict vulnerabilities with a high precision but low recall values. The actual dependencies, however, predict vulnerabilities with a lower precision but substantially higher recall.

show abstract

Toward Non-security Failures as a Predictor of Security Faults and Failures

Cited by 19 publications

References 19 publications

Predicting Attack-prone Components

Predicting Attack-prone Components

Predicting Vulnerable Software Components via Text Mining

Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista

Contact Info

Product

Resources

About