Improving vulnerability prediction accuracy with Secure Coding Standard violation measures

As the need of software has been increasing, the danger of malicious attacks against software has been worse. In order to fortify software systems against adversaries, researchers have devoted significant efforts on mitigating software vulnerabilities. To eliminate security vulnerabilities from software with lower inspection effort, vulnerability prediction approaches have been emerged. By allocating human and time resource on the potentially vulnerable subset, development organization could eliminate vulnerabilities in a cost effective manner. In the vulnerability prediction approaches, a vulnerability prediction model is constructed based on various software attributes. However, vulnerability prediction models based on the traditional software attributes have provided poor prediction accuracy or low cost effectiveness since the traditional software attributes are unable to reflect vulnerability characteristics sufficiently. In this paper, we propose a novel vulnerability prediction approach based on the CERT-C Secure Coding Standard. To evaluate the efficacy of the proposed approach, the prediction results of the suggested prediction models and other traditional models were assessed in terms of prediction accuracy and cost effectiveness. The results show that the proposed method can improve the vulnerability prediction accuracy.

[1]  Zhi-Hua Zhou,et al.  Ieee Transactions on Knowledge and Data Engineering 1 Training Cost-sensitive Neural Networks with Methods Addressing the Class Imbalance Problem , 2022 .

[2]  Robert C. Seacord The CERT C Secure Coding Standard , 2008 .

[3]  D. Hamby A review of techniques for parameter sensitivity analysis of environmental models , 1994, Environmental monitoring and assessment.

[4]  Wouter Joosen,et al.  Software vulnerability prediction using text analysis techniques , 2012, MetriSec '12.

[5]  Nicolas Palix,et al.  Clang and Coccinelle: Synergising program analysis tools for CERT C Secure Coding Standard certification , 2010, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[6]  Nitesh V. Chawla,et al.  SMOTE: Synthetic Minority Over-sampling Technique , 2002, J. Artif. Intell. Res..

[7]  N. Japkowicz Learning from Imbalanced Data Sets: A Comparison of Various Strategies * , 2000 .

[8]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[9]  Michael Gegick,et al.  Predicting Attack-prone Components , 2009, 2009 International Conference on Software Testing Verification and Validation.

[10]  Riccardo Scandariato,et al.  Predicting Vulnerable Components: Software Metrics vs Text Mining , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[11]  Zhi-Hua Zhou,et al.  Exploratory Under-Sampling for Class-Imbalance Learning , 2006, Sixth International Conference on Data Mining (ICDM'06).

[12]  Brian W. Cashell The Economic Impact of Cyber-Attacks , 2004 .

[13]  William Marsh,et al.  Predicting software defects in varying development lifecycles using Bayesian nets , 2007, Inf. Softw. Technol..

[14]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[15]  D. J. Lawson,et al.  Failure Mode, Effect and Criticality Analysis , 1983 .

[16]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[17]  Robert C. Seacord,et al.  Secure coding in C and C , 2005 .

[18]  Geoff Holmes,et al.  Benchmarking Attribute Selection Techniques for Discrete Class Data Mining , 2003, IEEE Trans. Knowl. Data Eng..

[19]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[20]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[21]  Elaine J. Weyuker,et al.  Predicting the location and number of faults in large software systems , 2005, IEEE Transactions on Software Engineering.

[22]  D. S. Brown,et al.  Responding to computer security incidents: Guidelines for incident handling , 1990 .

[23]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.