Evaluating Software Metrics as Predictors of Software Vulnerabilities

Web application security is an important problem in today’s Internet. A major cause of this is that many developers are not equipped with the right skills to develop secure code. Because of limited time and resources, web engineers need help in recognizing vulnerable components. A useful approach to predict vulnerable code would allow them to prioritize security-auditing efforts. In this work, we compare the performance of different classification techniques in predicting vulnerable PHP files and propose an application of these classification rules. We performed empirical case studies on three large open source web-projects. Software metrics are investigated whether they are discriminative and predictive of vulnerable code, and can guide actions for improvement of code and development team and can prioritize validation and verification efforts. The results indicate that the metrics are discriminative and predictive of vulnerabilities.

[1]  Zsuzsanna Marian,et al.  Software defect prediction using relational association rule mining , 2014, Inf. Sci..

[2]  Tim Menzies,et al.  Data Mining Static Code Attributes to Learn Defect Predictors , 2007, IEEE Transactions on Software Engineering.

[3]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[4]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[5]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[6]  Subhash C. Bagui,et al.  Combining Pattern Classifiers: Methods and Algorithms , 2005, Technometrics.

[7]  Saudi Arabia,et al.  Fault-Proneness of Open Source Systems: An Empirical Analysis , 2014 .

[8]  Victor R. Basili,et al.  A Validation of Object-Oriented Design Metrics as Quality Indicators , 1996, IEEE Trans. Software Eng..

[9]  Riccardo Scandariato,et al.  Predicting Vulnerable Components: Software Metrics vs Text Mining , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[10]  Ashkan Sami,et al.  Using complexity metrics to improve software security , 2013 .

[11]  Lloyd A. Smith,et al.  Practical feature subset selection for machine learning , 1998 .

[12]  Lionel C. Briand,et al.  Exploring the relationships between design measures and software quality in object-oriented systems , 2000, J. Syst. Softw..

[13]  Mamdouh Alenezi,et al.  Modularity Measurement and Evolution in Object-Oriented Open-Source Projects , 2015 .

[14]  Shadi Banitaan,et al.  Bug Reports Prioritization: Which Features and Classifier to Use? , 2013, 2013 12th International Conference on Machine Learning and Applications.

[15]  John Murray,et al.  Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications , 2010, ESSoS.

[16]  Laurie A. Williams,et al.  Strengthening the empirical analysis of the relationship between Linus' Law and software security , 2010, ESEM '10.

[17]  Miguel Correia,et al.  Automatic detection and correction of web application vulnerabilities using data mining to predict false positives , 2014, WWW.

[18]  Ruchika Malhotra Empirical Research in Software Engineering: Concepts, Analysis, and Applications , 2015 .

[19]  Reihaneh Safavi-Naini,et al.  Web filtering using text classification , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..

[20]  Jianping Zeng,et al.  Web objectionable text content detection using topic modeling technique , 2013, Expert Syst. Appl..

[21]  Kyung-Soo Joo,et al.  Development of Object-Oriented Analysis and Design Methodology for Secure Web Applications , 2014 .

[22]  Roman Hornung,et al.  Full versus incomplete cross-validation: measuring the impact of imperfect separation between training and test sets in prediction error estimation , 2014 .

[23]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[24]  Laurie A. Williams,et al.  Is complexity really the enemy of software security? , 2008, QoP '08.