The life and death of statically detected vulnerabilities: An empirical study

Information and Software Technology

Volumn 51, Issue 10, 2009, Pages 1469-1484

  Penta, Massimiliano Di ^a   Cerulo, Luigi ^a   Aversano, Lerina ^a  

^a UNIVERSITY OF SANNIO   (Italy)

Author keywords

Empirical study; Mining software repositories; Software vulnerabilities

Indexed keywords

BUFFER OVERFLOWS; CROSS SITE SCRIPTING; DATA LOSS; EMPIRICAL STUDIES; EMPIRICAL STUDY; LIFE AND DEATH; MINING SOFTWARE REPOSITORIES; NETWORKING SYSTEMS; QUALITATIVE ANALYSIS; SECURITY ATTACKS; SOFTWARE VULNERABILITIES; SOURCE CODES;

COMPUTER SOFTWARE; MINING; PROBABILITY DENSITY FUNCTION; QUALITY CONTROL;

SECURITY OF DATA;

EID: 67650108546     PISSN: 09505849     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infsof.2009.04.013     Document Type: Article

References (42)

1. I.V. Krsul, Software vulnerability analysis, Ph.D. Thesis, West Lafayette, IN, USA, Major Professor-Eugene H. Spafford, 1998.
2. E. Duala-Ekoko, M.P. Robillard, Tracking code clones in evolving software, in: ICSE'07: Proceedings of the 29th International Conference on Software Engineering, IEEE Computer Society, Minneapolis, MN, USA, 2007, pp. 158-167.
3. H. Gall, M. Jazayeri, J. Krajewski, CVS release history data for detecting logical couplings, in: IWPSE'03: Proceedings of tshe Sixth International Workshop on Principles of Software Evolution, IEEE Computer Society, 2003, p. 13.
4. T. Zimmermann, P. Weisgerber, S. Diehl, A. Zeller, Mining version histories to guide software changes, in: ICSE'04: Proceedings of the 26th International Conference on Software Engineering, IEEE CS, 2004, pp. 563-572.
5. Canfora G., Cerulo L., and Di Penta M. Tracking your changes: a language-independent approach. IEEE Softw. 26 1 (2009) 50-57
6. G. Canfora, L. Cerulo, M. Di Penta, Identifying changed source code lines from version repositories, in: MSR'07: Proceedings of the Fourth International Workshop on Mining Software Repositories, IEEE CS, 2007, p. 14.
7. Cifuentes C., and Scholz B. Parfait: designing a scalable bug checker. SAW '08: Proceedings of the 2008 Workshop on Static Analysis (2008), ACM, New York, NY, USA 4-11
8. C. Cifuentes, Parfait - a scalable bug checker for c code, in: IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2008), IEEE Computer Society, Los Alamitos, CA, USA, 2008, pp. 263-264.
9. D. DaCosta, C. Dahn, S. Mancoridis, V. Prevelakis, Characterizing the security vulnerability likelihood' of software functions, in: ICSM'03: Proceedings of the International Conference on Software Maintenance, IEEE Computer Society, Washington, DC, USA, 2003, p. 266.
10. O. Ruwase, M.S. Lam, A practical dynamic buffer overflow detector, in: NDSS, 2004.
11. B. Korel, A.M. Al-Yami, Assertion-oriented automated test data generation, in: ICSE'96: Proceedings of the 18th International Conference on Software Engineering, IEEE CS, Washington, DC, USA, 1996, pp. 71-80.
12. Tracey N., Clark J., Mander K., and McDermid J. Automated test-data generation for exception conditions. Softw. Pract. Exper. 30 1 (2000) 61-79
13. Del Grosso C., Antoniol G., Di Penta M., Galinier P., and Merlo E. Improving network applications security: a new heuristic to generate stress testing data. GECCO'05: Proceedings of the 2005 Conference on Genetic and Evolutionary Computation (2005), ACM, New York, NY, USA 1037-1043
14. C. Dahn, S. Mancoridis, Using program transformation to secure C programs against buffer overflows, in: WCRE'03: Proceedings of the 10th Working Conference on Reverse Engineering, IEEE Computer Society, Washington, DC, USA, 2003, p. 323.
15. L. Wang, J.R. Cordy, T.R. Dean, Enhancing security using legality assertions, in: WCRE'05: Proceedings of the 12th Working Conference on Reverse Engineering, IEEE CS, Washington, DC, USA, 2005, pp. 35-44.
16. E. Merlo, D. Letarte, G. Antoniol, Automated protection of php applications against SQL-injection attacks, in: CSMR'07: Proceedings of the 11th European Conference on Software Maintenance and Reengineering, IEEE Computer Society, Washington, DC, USA, 2007, pp. 191-202.
17. Huang Y.-W., Huang S.-K., Lin T.-P., and Tsai C.-H. Web application security assessment by fault injection and behavior monitoring. WWW'03: Proceedings of the 12th International Conference on World Wide Web (2003), ACM, New York, NY, USA 148-159
18. Scott D., and Sharp R. Abstracting application-level web security. WWW '02: Proceedings of the 11th International Conference on World Wide Web (2002), ACM, New York, NY, USA 396-407
19. A. Mockus, D.M. Weiss, P. Zhang, Understanding and predicting effort in software projects, in: ICSE'03: Proceedings of the 25th International Conference on Software Engineering, IEEE CS, Washington, DC, USA, 2003, pp. 274-284.
20. W. Jones, Reliability models for very large software systems in industry, in: International Symposium on Software Reliability Engineering, 1991, pp. 35-42.
21. P.L. Li, M. Shaw, J. Herbsleb, B. Ray, P. Santhanam, Empirical evaluation of defect projection models for widely-deployed production software systems, in: SIGSOFT'04/FSE-12: Proceedings of the 12th ACM SIGSOFT 12th International Symposium on Foundations of Software Engineering, ACM, New York, NY, USA, 2004, pp. 263-272.
22. Wood A. Predicting software reliability. IEEE Comput. 9 (1999) 69-77
23. Calzolari F., Tonella P., and Antoniol G. Maintenance and testing effort modeled by linear and nonlinear dynamic systems. Inform. Softw. Technol. 43 8 (2001) 477-486
24. S. Kim, M.D. Ernst, Which warnings should I fix first?, in: Proceedings of the Sixth Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2007, Dubrovnik, Croatia, September 3-7, 2007, 2007, pp. 45-54.
25. Geiger R., Fluri B., Gall H.C., and Pinzger M. Relation of code clones and change couplings. Proceedings of the 9th International Conference of Funtamental Approaches to Software Engineering (FASE) vol. 3922 (2006), LNCS, Springer, Vienna, Austria 411-425
26. M. Kim, V. Sazawal, D. Notkin, G. Murphy, An empirical study of code clone genealogies, in: Proceedings of the European Software Engineering Conference and the ACM Symposium on the Foundations of Software Engineering, Lisbon, Portogal, 2005, pp. 187-196.
27. L. Aversano, G. Canfora, L. Cerulo, C. Del Grosso, M. Di Penta, An empirical study on the evolution of design patterns, in: ESEC-FSE'07: Proceedings of the the Sixth Joint Meeting of the European Software Engineering conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ACM Press, New York, NY, USA, 2007, pp. 385-394.
28. S. Neuhaus, T. Zimmermann, C. Holler, A. Zeller, Predicting vulnerable software components, in: ACM Conference on Computer and Communications Security, 2007, pp. 529-540.
29. Alhazmi O.H., Malaiya Y.K., and Ray I. Measuring, analyzing and predicting security vulnerabilities in software systems. Comput. Secur. 26 3 (2007) 219-228
30. A. Ozment, S.E. Schechter, Milk or wine: does software security improve with age?, in: Proceedings of the 15th Usenix Security Symposium, August 2006, 2006.
31. Z. Li, L. Tan, X. Wang, S. Lu, Y. Zhou, C. Zhai, Have things changed now?: an empirical study of bug characteristics in modern open source software, in: Proceedings of the First Workshop on Architectural and System Support for Improving Software Dependability, ASID 2006, San Jose, California, USA, October 21, 2006, pp. 25-33.
32. M. Di Penta, L. Cerulo, L. Aversano, The evolution and decay of statically detected source code vulnerabilities, in: Proceedings of the Eighth IEEE Working Conference on Source Code Analysis and Manipulation, IEEE Computer Society, 2008, pp. 101-110.
33. Evans D., and Larochelle D. Improving security using extensible lightweight static analysis. IEEE Softw. 19 1 (2002) 42-51
34. J. Viega, J. Bloch, T. Kohno, G. McGraw, ITS4: A static vulnerability scanner for C and C++ code, in: Proceedings of the 16th Annual Computer Security Applications Conference, 2000, pp. 3-17.
35. S. Balasubramanian, Strides Towards Better Application Security, Ph.D. Thesis, Utah State University, 2008.
36. N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting web application vulnerabilities, in: Security and Privacy, 2006 IEEE Symposium on, vol. 6, 2006, p. 263.
37. Sheskin D. Handbook of Parametric and Nonparametric Statistical Procedures. fourth ed. (2007), Chapman & Hall
38. Dickey D.A., and Fuller W.A. Likelihood ratio statistics for autoregressive time series with a unit root. Econometrica 49 4 (1981) 1057-1072
39. Miller R.G. Simultaneous Statistical Inference. second ed. (1981), Springer-Verlag
40. Cohen J. Statistical Power Analysis for the Behavioral Sciences. second ed. (1988), Lawrence Earlbaum Associates, Hillsdale, NJ
41. M. Di Penta, L. Cerulo, L. Aversano, The life and death of statically detected vulnerabilities: an empirical study, Tech. rep., Department of Engineering, University of Sannio, Italy, 2009, .
42. Yin R.K. Case Study Research: Design and Methods. third ed. (2002), SAGE Publications, London