Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components

Extensive research has shown that software metrics can be used to identify fault- and failure-prone components. These metrics can also give early indications of overall software quality. We seek to parallel the identification and prediction of fault- and failure-prone components in the reliability context with vulnerability- and attack-prone components in the security context. Our research will correlate the quantity and severity of alerts generated by source code static analyzers to vulnerabilities discovered by manual analyses and testing. A strong correlation may indicate that automated static analyzers (ASA), a potentially early technique for vulnerability identification in the development phase, can identify high risk areas in the software system. Based on the alerts, we may be able to predict the presence of more complex and abstract vulnerabilities involved with the design and operation of the software system. An early knowledge of vulnerability can allow software engineers to make informed risk management decisions and prioritize redesign, inspection, and testing efforts. This paper presents our research objective and methodology.

[1]  Taghi M. Khoshgoftaar,et al.  Using the genetic algorithm to build optimal neural networks for fault-prone module detection , 1996, Proceedings of ISSRE '96: 7th International Symposium on Software Reliability Engineering.

[2]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[3]  Khaled El Emam,et al.  The Confounding Effect of Class Size on the Validity of Object-Oriented Metrics , 2001, IEEE Trans. Software Eng..

[4]  Taghi M. Khoshgoftaar,et al.  Classification tree models of software quality over multiple releases , 1999, Proceedings 10th International Symposium on Software Reliability Engineering (Cat. No.PR00443).

[5]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[6]  Nachiappan Nagappan,et al.  A Software Reliability Estimation Framework for Extreme Programming , 2003 .

[7]  Lionel C. Briand,et al.  Investigating quality factors in object-oriented designs: an industrial case study , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[8]  Tim Menzies,et al.  Data Mining Static Code Attributes to Learn Defect Predictors , 2007, IEEE Transactions on Software Engineering.

[9]  Standard Glossary of Software Engineering Terminology , 1990 .

[10]  Taghi M. Khoshgoftaar,et al.  Detection of fault-prone program modules in a very large telecommunications system , 1995, Proceedings of Sixth International Symposium on Software Reliability Engineering. ISSRE'95.

[11]  Mladen A. Vouk,et al.  Towards a Metric Suite for Early Software Reliability Assessment , 2003 .

[12]  Yuming Zhou,et al.  Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults , 2006, IEEE Transactions on Software Engineering.

[13]  Taghi M. Khoshgoftaar,et al.  Evolutionary neural networks: a robust approach to software reliability problems , 1997, Proceedings The Eighth International Symposium on Software Reliability Engineering.

[14]  Taghi M. Khoshgoftaar,et al.  EMERALD: software metrics and models on the desktop , 1996, Proceedings of the Fourth International Symposium on Assessment of Software Tools.

[15]  Taghi M. Khoshgoftaar,et al.  Application of neural networks to software quality modeling of a very large telecommunications system , 1997, IEEE Trans. Neural Networks.

[16]  Ramanath Subramanyam,et al.  Empirical Analysis of CK Metrics for Object-Oriented Design Complexity: Implications for Software Defects , 2003, IEEE Trans. Software Eng..

[17]  Taghi M. Khoshgoftaar,et al.  Detection of software modules with high debug code churn in a very large legacy system , 1996, Proceedings of ISSRE '96: 7th International Symposium on Software Reliability Engineering.

[18]  Elfriede Dustin,et al.  The Art of Software Security Testing: Identifying Software Security Flaws , 2006 .

[19]  Thomas Ball,et al.  Static analysis tools as early indicators of pre-release defect density , 2005, ICSE.

[20]  Taghi M. Khoshgoftaar,et al.  The Detection of Fault-Prone Programs , 1992, IEEE Trans. Software Eng..

[21]  Jason A. Osborne,et al.  Initial results of using in-process testing metrics to estimate software reliability , 2004 .

[22]  Jason A. Osborne,et al.  Using In-Process Testing Metrics to Estimate Software Reliability: A Feasibility Study , 2004 .

[23]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[24]  Elaine J. Weyuker,et al.  Where the bugs are , 2004, ISSTA '04.

[25]  Tibor Gyimóthy,et al.  Empirical validation of object-oriented metrics on open source software for fault prediction , 2005, IEEE Transactions on Software Engineering.

[26]  Laurie A. Williams,et al.  Preliminary results on using static analysis tools for software inspection , 2004, 15th International Symposium on Software Reliability Engineering.

[27]  David LeBlanc,et al.  Writing Secure Code , 2001 .

[28]  Nachiappan Nagappan,et al.  A software testing and reliability early warning (strew) metric suite , 2005 .

[29]  Taghi M. Khoshgoftaar,et al.  Using Classification Trees for Software Quality Models: Lessons Learned , 1999, Int. J. Softw. Eng. Knowl. Eng..

[30]  Taghi M. Khoshgoftaar,et al.  Predicting Software Development Errors Using Software Complexity Metrics , 1990, IEEE J. Sel. Areas Commun..

[31]  John Steven,et al.  Putting the tools to work: how to succeed with source code analysis , 2006, IEEE Security & Privacy.

[32]  BryantA.,et al.  B. W. Boehm software engineering economics , 1983 .

[33]  Keith W. Miller,et al.  Defining an adaptive software security metric from a dynamic software failure tolerance measure , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[34]  Victor R. Basili,et al.  A validation of object oriented metrics as quality indicators , 1996 .

[35]  Taghi M. Khoshgoftaar,et al.  Using regression trees to classify fault-prone software modules , 2002, IEEE Trans. Reliab..

[36]  Wendell D. Jones,et al.  EMERALD: a case study in enhancing software reliability , 1997, Proceedings The Eighth International Symposium on Software Reliability Engineering - Case Studies -.

[37]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[38]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[39]  Brendan Murphy,et al.  Using Historical In-Process and Product Metrics for Early Estimation of Software Failures , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[40]  Laurie A. Williams,et al.  On the value of static analysis for fault detection in software , 2006, IEEE Transactions on Software Engineering.

[41]  Sandro Morasca,et al.  Deriving models of software fault-proneness , 2002, SEKE '02.

[42]  Giovanni Denaro,et al.  Early performance testing of distributed software applications , 2004, WOSP '04.

[43]  Pekka Abrahamsson,et al.  Providing test quality feedback using static source code and automatic test suite metrics , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).