Predicting vulnerable software components with dependency graphs

6th International Workshop on Security Measurements and Metrics, MetriSec 2010

Volumn , Issue , 2010, Pages

  Nguyen, Viet Hung ^a   Tran, Le Minh Sang ^a  

^a UNIVERSITY OF TRENTO   (Italy)

Author keywords

prediction; vulnerability

Indexed keywords

CODE METRICS; COMPLEXITY METRICS; DEPENDENCY GRAPHS; EMPIRICAL RESULTS; FIREFOX; JAVASCRIPT; PREDICTION; PREDICTION MODEL; RECALL RATE; SECURITY METRICS; SOFTWARE COMPONENT; SOFTWARE SECURITY; VULNERABILITY;

FORECASTING; MATHEMATICAL MODELS;

SECURITY OF DATA;

EID: 78649393441     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1853919.1853923     Document Type: Conference Paper

References (24)

1. R. Anderson. Why information security is hard - an economic perspective. In Proc. of ACSAC'01, 2001.
2. C. Catal and B. Diri. A systematic review of software fault prediction studies. Expert Sys. with App., 36(4):7346-7354, 2009.
3. I. Chowdhury and M. Zulkernine. Using complexity, coupling, and cohesion metrics as early predictors of vul. J. of Soft. Arch., 2010.
4. J. Cohen. Statistical Power Analysis for the Behavioral Sciences, 2nd ed. Hillsdale, NJ: Lawrence Erlbaum Associates, 1988.
5. M. Gegick. Failure-prone components are also attack-prone components. In Proc. of the 23rd ACM SIGPLAN Conf. on Object-Oriented Prog. , Sys. , Lang. , and Applications (OOPSLA'08), pages 917-918. ACM Press, 2008.
6. M. Gegick and L. Williams. Ranking attack-prone components with a predictive model. In Proc. of ISSRE'08, pages 315-316, 2008.
7. M. Gegick, L. Williams, J. Osborne, and M. Vouk. Prioritizing software security fortification throughcode-level metrics. In Proc. of QoP'08, pages 31-38. ACM, 2008.
8. Y. Jiang, B. Cuki, T. Menzies, and N. Bartlow. Comparing design and code metrics for software quality prediction. In Proc. of PROMISE'08, pages 11-18. ACM, 2008.
9. F. Massacci and V. H. Nguyen. Which is the right source for vulnerabilities studies? an empirical analysis on mozilla firefox. In Proc. of MetriSec'10, 2010.
10. T. Menzies, J. Greenwald, and A. Frank. Data mining static code attributes to learn defect predictors. TSE, 33(9):2-13, 2007.
11. N. Nagappan and T. Ball. Use of relative code churn measures to predict system defect density. In Proc. of ICSE'05, pages 284-292, 2005.
12. S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller. Predicting vulnerable software components. In Proc. of CCS'07, pages 529-540, October 2007.
13. H. M. Olague, S. Gholston, and S. Quattlebaum. Empirical validation of three software metrics suites to predict fault-proneness of object-oriented classes developed using highly iterative or agile software development processes. TSE, 33(6):402-419, 2007.
14. T. J. Ostrand and E. J. Weyuker. How to measure success of fault prediction models. In SOQUA '07: Fourth international workshop on Software quality assurance, pages 25-30, New York, NY, USA, 2007. ACM.
15. A. Ozment. Vulnerability Discovery and Software Security. PhD thesis, University of Cambridge. Cambridge, UK, 2007.
16. Y. Shin. Exploring complexity metrics as indicators of software vulnerability. In Proc. of the Int. Doctoral Symp. on Empirical Soft. Eng. (IDoESE'08).
17. Y. Shin and L. Williams. An empirical model to predict security vulnerabilities using code complexity metrics. In Proc. of ESEM'08, 2008.
18. Y. Shin and L. Williams. Is complexity really the enemy of software security? In Proc. of QoP'08, pages 47-50, 2008.
19. Wessa. P. (2010), Free Statistics Software, Office for Research Development and Education, version 1.1.23-r6. http://www.wessa.net/.
20. H. Zhang and X. Zhang. Comments on data mining static code attributes to learn defect predictors. TSE, 33(9):635-637, 2007.
21. H. Zhang, X. Zhang, and M. Gu. Predicting defective software components from code complexity measures. In Procc. of PRDC'07, pages 93-96, 2007.
22. T. Zimmermann and N. Nagappan. Predicting defects with program dependencies. In Proc. of ESEM'09, 2009.
23. T. Zimmermann, R. Premraj, and A. Zeller. Predicting defects for eclipse. In Proc. of PROMISE'07, page 9. IEEE Computer Society, 2007.
24. T. Zimmermann and P. WeiSSgerber. Preprocessing cvs data for ne-grained analysis. In Proc. of the 1st Int. Working Conf. on Mining Soft. Repo. MSR('04), pages 2-6, May 2004.