Software vulnerability can cause disastrous consequences for information security. Earlier detection of vulnerabilities minimizes these consequences. Manual detection of vulnerable code is very difficult and very costly in terms of time and budget. Therefore, developers must use automatic vulnerabilities prediction (AVP) tools to minimize costs. Recent works on AVP begin to use techniques of deep learning (DL). All the proposed approaches are based on techniques of feature extraction inspired by previous applications of DL such as automatic language processing. Code metrics were widely used as features to build AVP models based on classic machine learning. This study bridges the gap between deep learning and machine learning features and discusses a deep-learning-based approach to finding vulnerabilities in code using code metrics. Obtained results show that code metrics are very good but not the better to use as features in DL-based AVP.INDEX TERMS Automatic vulnerability prediction, code metrics, deep neural networks.
Most security and privacy issues in software are related to exploiting code vulnerabilities. Many studies have tried to find the correlation between the software characteristics (complexity, coupling, etc.) quantified by corresponding code metrics and its vulnerabilities and to propose automatic prediction models that help developers locate vulnerable components to minimize maintenance costs. The results obtained by these studies cannot be applied directly to web applications because a web application differs in many ways from a non-web application: development, use, etc. and a lot of evaluation of these conclusions has to be made. The purpose of this study is to evaluate and compare the vulnerabilities prediction power of three types of code metrics in web applications. There are a few similar studies that targeted non-web application and to the best of our knowledge, there are no similar studies that targeted web applications. The results obtained show that unlike non-web applications where complexity metrics have better vulnerability prediction power, in web applications the metrics that give better prediction are the coupling metrics with high recall (> 75%) and fewer costs in terms of inspection (<25%).
This study has to be considered as another step towards the proposal of assessment/predictive models in software quality. We consider in this work, that a probabilistic model using Bayesian nets constitutes an interesting alternative to non-probabilistic models suggested in the literature. Thus, we propose in this paper a probabilistic approach using Bayesian networks to analyze and predict change impact in object-oriented systems. An impact model is built and probabilities are assigned to network nodes. Data obtained from a real system are exploited to empirically study causality hypotheses between some software internal attributes and change impact. Several scenarios are executed on the network, and the obtained results confirm that coupling is a good indicator of change impact.
Automatic vulnerabilities prediction assists developers and minimizes resources allocated to fix software security issues. These costs can be minimized even more if the exact location of vulnerability is correctly indicated. In this study, the authors propose a new approach to using code metrics in vulnerability detection. The strength part of the proposed approach lies in using code metrics not to simply quantify characteristics of software components at a coarse granularity (package, file, class, function) such as complexity, coupling, etc., which is the approach commonly used in previous studies, but to quantify extracted pieces of code that hint presence of vulnerabilities at a fine granularity (few lines of code). Obtained results show that code metrics can be used with a machine learning technique not only to indicate vulnerable components wish was the aim of previous approaches but also to detect and locate vulnerabilities with very good accuracy.
Software evolution control mostly relies on the better structure of the inherent software artifacts and the evaluation of different qualitative factors like maintainability. The attributes of changeability are commonly used to measure the capability of the software to change with minimal side effects. This article describes the use of the design of experiments method to evaluate the influence of variations of software metrics on the change impact in developed software. The coupling metrics are considered to analyze their degree of contribution to cause a change impact. The data from participant software metrics are expressed in the form of mathematical models. These models are then validated on different versions of software to estimate the correlation of coupling metrics with the change impact. The proposed approach is evaluated with the help of a set of experiences which are conducted using statistical analysis tools. It may serve as a measurement tool to qualify the significant indicators that can be included in a Software Maintenance dashboard.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.