Using complexity metrics to improve software security

Moshtari, Sara; Sami, Ashkan; Azimi, Mahdi

doi:10.1016/s1361-3723(13)70045-9

Cited by 48 publications

(32 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Overall, codes of the participant teachers were of higher quality comparing to the students' codes; however with regards to the measurable security features, the opposite was observed. In recent years, much attention has been put on exploring the relations between software quality metrics and software vulnerability; most of these studies have found that the former can predict the latter (e.g., Chowdhurry & Zulkernine, 2011;Moshtari, Sami, & Azimi, 2013;Shin & Williams, 2013). However, most of these studies were analysing big (in terms of code size) commercial software (e.g., Mozilla Firefox, Linux Kernel, Eclipse, etc.)…”

Section: Discussionmentioning

confidence: 99%

Software Quality and Security in Teachers' and Students' Codes When Learning a New Programming Language

Boutnaru¹,

Hershkovitz²

2015

IJELL

View full text Add to dashboard Cite

In recent years, schools (as well as universities) have added cyber security to their computer science curricula. This topic is still new for most of the current teachers, who would normally have a standard computer science background. Therefore the teachers are trained and then teaching their students what they have just learned. In order to explore differences in both populations’ learning, we compared measures of software quality and security between high-school teachers and students. We collected 109 source files, written in Python by 18 teachers and 31 students, and engineered 32 features, based on common standards for software quality (PEP 8) and security (derived from CERT Secure Coding Standards). We use a multi-view, data-driven approach, by (a) using hierarchical clustering to bottom-up partition the population into groups based on their code-related features and (b) building a decision tree model that predicts whether a student or a teacher wrote a given code (resulting with a LOOCV kappa of 0.751). Overall, our findings suggest that the teachers’ codes have a better quality than the students’ – with a sub-group of the teachers, mostly males, demonstrate better coding than their peers and the students – and that the students’ codes are slightly better secured than the teachers’ codes (although both populations show very low security levels). The findings imply that teachers might benefit from their prior knowledge and experience, but also emphasize the lack of continuous involvement of some of the teachers with code-writing. Therefore, findings shed light on computer science teachers as lifelong learners. Findings also highlight the difference between quality and security in today’s programming paradigms. Implications for these findings are discussed.

show abstract

Section: Discussionmentioning

confidence: 99%

Software Quality and Security in Teachers' and Students' Codes When Learning a New Programming Language

Boutnaru¹,

Hershkovitz²

2015

IJELL

View full text Add to dashboard Cite

show abstract

“…Moshtari et al [20], contrary to previous studies, examined and highlighted the ability of software complexity to predict vulnerabilities between software products (i.e. cross-project prediction), based on 5 open-source software products, namely Mozilla Firefox, Linux Kernel, Apache Tomcat, Eclipse, and Open SCADA.…”

Section: Vulnerability Prediction Modelingmentioning

confidence: 99%

“…Although it is a relatively new area of research, a great number of VPMs has already been proposed in the related literature. As stated in [9], the main VPMs that can be found in the literature utilize software metrics [13][14][15][16][17][18][19][20][21][22], text mining [23][24][25][26][27][28], and security-related static analysis alerts [10,[29][30][31][32]] to predict vulnerabilities. These types of VPMs are analyzed in the rest of this section.…”

Section: Vulnerability Prediction Modelingmentioning

confidence: 99%

Static Analysis-Based Approaches for Secure Software Development

Siavvas

Gelenbe

Kehagias

et al. 2018

Communications in Computer and Information Science

View full text Add to dashboard Cite

Abstract. Software security is a matter of major concern for software development enterprises that wish to deliver highly secure software products to their customers. Static analysis is considered one of the most effective mechanisms for adding security to software products. The multitude of static analysis tools that are available provide a large number of raw results that may contain security-relevant information, which may be useful for the production of secure software. Several mechanisms that can facilitate the production of both secure and reliable software applications have been proposed over the years. In this paper, two such mechanisms, particularly the vulnerability prediction models (VPMs) and the optimum checkpoint recommendation (OCR) mechanisms, are theoretically examined, while their potential improvement by using static analysis is also investigated. In particular, we review the most significant contributions regarding these mechanisms, identify their most important open issues, and propose directions for future research, emphasizing on the potential adoption of static analysis for addressing the identified open issues. Hence, this paper can act as a reference for researchers that wish to contribute in these subfields, in order to gain solid understanding of the existing solutions and their open issues that require further research.

show abstract

“…Metric-based techniques, inspired by bug prediction [16,28,30,38,46,49,78], leverage supervised or unsupervised machine learning to predict vulnerable code mostly at the granularity level of a source file. Following security experts' belief that complexity is the enemy of software security [40], they use complexity metrics [21,44,45,55,56] as features, or combine them with code churn metrics [26,54,58], token frequency metrics [31,52,65,79], dependency metrics [43,47,48,81], developer activity metrics [54,58] and execution complexity metrics [57]. On the other hand, pattern-based techniques leverage patterns of known vulnerabilities to identify potentially vulnerable code through static analysis.…”

Section: Introductionmentioning

confidence: 99%

LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment Through Program Metrics

Chen

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Identifying potentially vulnerable locations in a code base is critical as a pre-step for effective vulnerability assessment; i.e., it can greatly help security experts put their time and effort to where it is needed most. Metric-based and pattern-based methods have been presented for identifying vulnerable code. The former relies on machine learning and cannot work well due to the severe imbalance between non-vulnerable and vulnerable code or lack of features to characterize vulnerabilities. The latter needs the prior knowledge of known vulnerabilities and can only identify similar but not new types of vulnerabilities.In this paper, we propose and implement a generic, lightweight and extensible framework, LEOPARD, to identify potentially vulnerable functions through program metrics. LEOPARD requires no prior knowledge about known vulnerabilities. It has two steps by combining two sets of systematically derived metrics. First, it uses complexity metrics to group the functions in a target application into a set of bins. Then, it uses vulnerability metrics to rank the functions in each bin and identifies the top ones as potentially vulnerable. Our experimental results on 11 real-world projects have demonstrated that, LEOPARD can cover 74.0% of vulnerable functions by identifying 20% of functions as vulnerable and outperform machine learning-based and static analysis-based techniques. We further propose three applications of LEOPARD for manual code review and fuzzing, through which we discovered 22 new bugs in real applications like PHP, radare2 and FFmpeg, and eight of them are new vulnerabilities.

show abstract

Using complexity metrics to improve software security

Cited by 48 publications

References 11 publications

Software Quality and Security in Teachers' and Students' Codes When Learning a New Programming Language

Software Quality and Security in Teachers' and Students' Codes When Learning a New Programming Language

Static Analysis-Based Approaches for Secure Software Development

LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment Through Program Metrics

Contact Info

Product

Resources

About