Toward the use of automated static analysis alerts for early identification of vulnerability- and attack-prone components

Second International Conference on Internet Monitoring and Protection, ICIMP 2007

Volumn , Issue , 2007, Pages 18-

  Gegick, Michael ^a   Williams, Laurie ^a  

^a North Carolina State University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATION; COMPUTER CRIME; IDENTIFICATION (CONTROL SYSTEMS); RISK ANALYSIS; SOFTWARE DESIGN; STATIC ANALYSIS;

AUTOMATED STATIC ANALYZERS (ASA); SOFTWARE ENGINEERS; SOFTWARE METRICS; SOFTWARE QUALITY;

FAULT TOLERANT COMPUTER SYSTEMS;

EID: 35348918737     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICIMP.2007.46     Document Type: Conference Paper

References (43)

1. V. R. Basili, L. C. Briand, and W. L. Melo, "A Validation of Object Orient Design Metrics as Quality Indicators," IEEE Transactions on Software Engineering, vol. 21, pp. 751-761, 1996.
2. B. W. Boehm, Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall, Inc., 1981.
3. L. C. Briand, J. Wust, and H. Lounis, "Investigating Quality Factors in Object-Oriented Designs: An Industrial Case Study," ISERN-98-29, 1998.
4. P. Chandra, B. Chess, and J. Steven, "Putting the Tools to Work: How to Succeed with Source Code Analysis," in IEEE Security & Privacy, vol. 4, 2006, pp. 80-83.
5. B. Chess, "Improving Computer Security using Extended Static Checking," in IEEE Symposium on Security and Privacy, Berkeley, CA, 2002, pp. 160-173.
6. B. Chess and G. McGraw, "Static Analysis for Security," in IEEE Security and Privacy, vol. 2, 2004, pp. 76-79.
7. G. Denaro, S. Morasca, and G. Popek, "Deriving models of software fault-proneness," in International Conference on Software Engineering and Knowledge Engineering, pp. 361-368.
8. G. Denaro, A. Polini, and W. Emmerich, "Early Performance Testing of Distributed Software Applications," in Workshop on Software and Performance, Redwood Shores, California, 2004, pp. 94-103
9. M. Dowd, J. McDonald, and J. Schuh, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Boston, MA: Addison-Wesley, 2007.
10. K. El Emam, S. Benlarbi, N. Goel, and S. N. Rai, "The Confounding Effect of Class Size on the Validity of Object-Oriented Metrics," IEEE Trans. Software Eng., vol. 27, pp. 630-650 July 2001.
11. T. Gyimothy, R. Ference, and L. Siket, "Empirical Validation of Object-Oriented Metrics on Open Source Software for Fault Prediction," IEEE Trans. Software Eng., vol. 31, pp. 897-910, Oct. 2005.
12. R. Hochman, T. M. Khoshgoftaar, E. B. Allen, and J. Hudepohl, "Evolutionary Neural Networks: A Robust Approach to Software Reliability Problems," in Eighth Int'l Symp. Software Reliability Eng, 1997, pp. 13-26.
13. R. Hochman, T. M. Khoshgoftaar, E. B. Allen, and J. Hudepohl, "Using the Genetic Algorithm to Build Optimal Neural Networks for Fault-Prone Model Detection," in Seventh Int'l Symp. Software Reliability Eng., 1996, pp. 152162.
14. M. Howard and D. LeBlanc, Writing Secure Code. Redmond, WA: Microsoft Press, 2003.
15. J. Hudepohl, S. J. Aud, T. Khoshgoftaar, E. B. Allen, and J. Mayrand, "Emerald: Software Metrics and Models on the Desktop," IEEE Software, vol. 13, pp. 56-59, September 1996.
16. J. Hudepohl, W. Jones, and B. Lague, "EMERALD: A Case Study in Enhancing Software Reliability," in Eighth International Symposium on Software Reliability Engineering (Case Studies), Albuquerque, New Mexico, 1997, pp. 85-91.
17. IEEE, "IEEE Standard 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology," 1990.
18. T. M. Khoshgoftaar, E. B. Allen, and J. Deng, "Using Regression Trees to Classify Fault-Prone Software Modules," IEEE Transactions on Reliability, vol. 51, pp. 455-562, December, 2002 2002.
19. T. M. Khoshgoftaar, E. B. Allen, N. Goel, A. Nandi, and J. McMullan, "Detection of Software Modules with High Debug Code Chum in a Very Large Telecommunications System," in International Sympoisum on Software Reliability Engineering, White Plains, NY, 1996, pp. 364-371.
20. T. M. Khoshgoftaar, E. B. Allen, J. P. Hudepohl, and S. J. Aud, "Applications of Neural Networks to Software Quality Modeling of a Very Large Telecommunications System," Trans. Neural Networks, vol. 8, pp. 902-909, 1997.
21. T. M. Khoshgoftaar, E. B. Allen, J. P. Hudepohl, and W. Jones, "Classification Tree Models of Software Quality over Multiple Releases," in 10th Int'l Symp. Software Reliability Engineering, 1999, pp. 116-125.
22. T. M. Khoshgoftaar, E. B. Allen, K. S. Kalaichelvan, N. Goel, J. P. Hudepohl, and J. Mayrand, "Detection of faultprone program modules in a very large telecommunications system," in IEEE International Symposium on Software Reliability Engineering, Toulouse, France, 1995, pp. 24-33.
23. T. M. Khoshgoftaar, E. B. Allen, A. Naik, W. Jones, and J. P. Hudepohl, "Using Classification Trees for Software Quality Models: Lessons Learned," Int'l J. Software Eng. and Knowledge Eng., vol. 9, pp. 2127-231, 1999.
24. T. M. Khoshgoftaar and J. C. Munson, "Predicting Software Development Errors using Software Complexity Metrics," EEE Journal on Selected Areas in Communications, vol. 8, pp. 253-261, 1990.
25. I. Krsul, "Software Vulnerability Analysis," in Computer Science, vol. PhD West Lafayette: Purdue University, 1998.
26. G. McGraw, Software Security: Building Security In. Boston: Addison-Wesley, 2006.
27. T. Menzies, J. Greenwald, and A. Frank, "Data Mining Static Code Attributes to Learn Defect Predictors," IEEE Trans. Software Eng., vol. 33, pp. 2-13, 2007.
28. J. Munson and T. Khoshgoftaar, "The Detection of Fault-Prone Programs," IEEE Transactions on Software Engineering, vol. 18, pp. 423-433, 1992.
29. N. Nagappan, "A Software Testing and Reliability Early Warning (STREW) Metric Suite," in Computer Science Raleigh, NC: North Carolina State University, 2005.
30. N. Nagappan and T. Ball, "Static Analysis Tools as Early Indicators of Pre-release Defect Density," in International Conference on Software Engineering, St. Louis, MO, 2005, pp. 580-586.
31. N. Nagappan, T. Ball, and B. Murphy, "Using Historical In-Process and Product Metrics for Early Estimation of Software Failures," in International Symposium on Software Reliability Engineering, Raleigh, NC, 2006, pp. 62-74.
32. N. Nagappan and L. Williams, "A Software Reliability Estimation Framework for Extreme Programming," in International Symposium on Software Reliability Engineering (ISSRE) Student Paper, Denver, CO, 2003.
33. N. Nagappan, L. Williams, J. Osborne, M. Vouk, and P. Abrahamsson, " Providing Test Quality Feedback Using Static Source Code and Automatic Test Suite Metrics," in Chicago, IL, International Symposium on Software Reliability Engineering (ISSRE) 2005, 2005, pp. 85-94.
34. N. Nagappan, L. Williams, and M. Vouk, "Initial Results of Using In-Process Testing Metrics to Estimate Software Reliability," North Carolina State Department of Computer Science CSC TR-2004-5, January 25, 2004.
35. N. Nagappan, L. Williams, M. Vouk, J. Hudepohl, and W. Snipes, "A Preliminary Investigation of Automated Software Inspection," in IEEE International Symposium on Software Reliability Engineering, St. Malo, France, 2004, pp. 429-439.
36. N. Nagappan, L. Williams, M. Vouk, and J. Osborne, "Using In-Process Testing Metrics to Estimate Software Reliability: A Feasibility Study," in Fast Abstract at the International Symposium on Software Reliability Engineering (ISSRE) 2004, St. Malo, France, 2004, pp. 21-22.
37. N. Nagappan, L. Williams, and M. A. Vouk, "Towards a Metric Suite for Early Software Reliability Assessment," in International Symposium on Software Reliability Engineering Fast Abstract, Denver, CO, 2003.
38. T. J. Ostrand, E. J. Weyuker, and R. M. Bell, "Where the bugs are," in International Symposium on Software Testing and Analysis, Boston, Massachusetts, 2004, pp. 86-96.
39. R. Subramanyam and M. S. Krishnan, "Empirical Analysis of CK Metrics for Object-Oriented Design Complexity: Implications for Software Defects," IEEE Transactions on Software Engineering, vol. 29, pp. 297-310, April 2003.
40. J. Voas, A. Ghosh, G. McGraw, F. Charron, and K. Miller, "Defining an Adaptive Software Security Metric from a Dynamic Software Failure Tolerance Measure," in COMPASS '96, Gaithersburg, MD, 1996, pp. 250-263.
41. C. Wysopal, L. Nelson, D. Dai Zovi, and E. Dustin, The Art of Software Security Testing: Identifying Software Security Flaws. Boston: Addison Wesley, 2006.
42. J. Zheng, L. Williams, W. Snipes, N. Nagappan, J. Hudepohl, and M. Vouk, "On the Value of Static Analysis Tools for Fault Detection," IEEE Transactions on Software Engineering, vol. 32, pp. 240-253, 2006.
43. Y. Zhou and L. Hareton, "Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults," IEEE Transactions on Software Engineering, vol. 32, pp. 771-789, October 2006.