Predictive models for identifying software components prone to failure during security attacks

Sometimes software security engineers are given a product that they not familiar with, but are asked to have a security analysis done for it in a relatively short time. An early knowledge of where the most vulnerable regions of a software-based system are likely to reside can help prioritize their efforts. In general, software metrics can be used to predict faultand failure-prone components for prioritizing inspection, testing, and redesign efforts. We believe that the security community can leverage this knowledge to design tools and metrics that can identify vulnerabilityand attack-prone software components early in the software life cycle. We analyzed a large commercial telecommunications software-based system and found that the presence of security faults correlates strongly with the presence of a more general category of reliability faults. This, of course, is not surprising if one accepts the notion that security faults are in many instances a subset of a reliability fault set. We discuss a model that can be useful for identifying attack-prone components and for prioritizing security efforts early in the software life-cycle.

[1]  Edsger W. Dijkstra,et al.  Structured programming , 1972, A.P.I.C. Studies in data processing.

[2]  N. Falconer Structured Programming , 1973, Nature.

[3]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[4]  Elliot Soloway,et al.  Where the bugs are , 1985, CHI '85.

[5]  G. Q. Kenny Estimating defects in commercial software during operational use , 1993 .

[6]  Mladen A. Vouk,et al.  Some issues in multi-phase software reliability modeling , 1993, CASCON.

[7]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[8]  Giovanni Denaro,et al.  Estimating software fault-proneness for tuning testing activities , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[9]  Irene Mavrommati,et al.  Design principles , 2001 .

[10]  Per Brinch Hansen,et al.  Design principles , 2002 .

[11]  Gary McGraw,et al.  Exploiting Software , 2004, USENIX Security Symposium.

[12]  John D. Musa,et al.  Software Reliability Engineering: More Reliable Software Faster and Cheaper , 2004 .

[13]  N. Nagappan,et al.  Static analysis tools as early indicators of pre-release defect density , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[14]  Andreas Zeller,et al.  Predicting component failures at design time , 2006, ISESE '06.

[15]  Diomidis Spinellis,et al.  The Athens Affair , 2007, IEEE Spectrum.

[16]  Michael Gegick Failure-prone components are also attack-prone components , 2008, OOPSLA Companion.

[17]  Michael Gegick,et al.  Predicting attack-prone components with internal metrics , 2008 .

[18]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[19]  Michael Eichberg,et al.  A Handbook of Software and Systems Engineering , 2009 .