An empirical study of the reliability of UNIX utilities
Communications of the ACM
Estimating the Probability of Failure When Testing Reveals No Failures
IEEE Transactions on Software Engineering
The nature of statistical learning theory
The nature of statistical learning theory
Software fault injection: inoculating programs against errors
Software fault injection: inoculating programs against errors
Symbolic pointer analysis for detecting memory leaks
PEPM '00 Proceedings of the 2000 ACM SIGPLAN workshop on Partial evaluation and semantics-based program manipulation
Symbolic bounds analysis of pointers, array indices, and accessed memory regions
PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Token-based scanning of source code for security problems
ACM Transactions on Information and System Security (TISSEC)
Efficient path conditions in dependence graphs
Proceedings of the 24th International Conference on Software Engineering
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
Static Detection of Pointer Errors: An Axiomatisation and a Checking Algorithm
ESOP '96 Proceedings of the 6th European Symposium on Programming Languages and Systems
Fast Algorithms for Mining Association Rules in Large Databases
VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Populating a Release History Database from Version Control and Bug Tracking Systems
ICSM '03 Proceedings of the International Conference on Software Maintenance
Characterizing the 'Security Vulnerability Likelihood' of Software Functions
ICSM '03 Proceedings of the International Conference on Software Maintenance
Buffer overrun detection using linear programming and static analysis
Proceedings of the 10th ACM conference on Computer and communications security
Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Hipikat: A Project Memory for Software Development
IEEE Transactions on Software Engineering
MSR '05 Proceedings of the 2005 international workshop on Mining software repositories
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Mining metrics to predict component failures
Proceedings of the 28th international conference on Software engineering
Predicting component failures at design time
Proceedings of the 2006 ACM/IEEE international symposium on Empirical software engineering
Have things changed now?: an empirical study of bug characteristics in modern open source software
Proceedings of the 1st workshop on Architectural and system support for improving software dependability
Statically detecting likely buffer overflow vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Security vulnerabilities in software systems: a quantitative perspective
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
Comparing design and code metrics for software quality prediction
Proceedings of the 4th international workshop on Predictor models in software engineering
SAVE: static analysis on versioning entities
Proceedings of the fourth international workshop on Software engineering for secure systems
AFID: an automated fault identification tool
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Predicting Software Metrics at Design Time
PROFES '08 Proceedings of the 9th international conference on Product-Focused Software Process Improvement
Prioritizing software security fortification throughcode-level metrics
Proceedings of the 4th ACM workshop on Quality of protection
Toward Non-security Failures as a Predictor of Security Faults and Failures
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
The life and death of statically detected vulnerabilities: An empirical study
Information and Software Technology
Fair and balanced?: bias in bug-fix datasets
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
DebugAdvisor: a recommender system for debugging
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Strong dependencies between software components
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Using strong conflicts to detect quality issues in component-based complex systems
Proceedings of the 3rd India software engineering conference
Fault-prone module detection using large-scale text features based on spam filtering
Empirical Software Engineering
Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?
Proceedings of the 2010 ACM Symposium on Applied Computing
Towards a unifying approach in understanding security problems
ISSRE'09 Proceedings of the 20th IEEE international conference on software reliability engineering
AFID: an automated approach to collecting software faults
Automated Software Engineering
Strengthening the empirical analysis of the relationship between Linus' Law and software security
Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement
Predicting vulnerable software components with dependency graphs
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Pushing boulders uphill: the difficulty of network intrusion recovery
LISA'09 Proceedings of the 23rd conference on Large installation system administration
The beauty and the beast: vulnerabilities in red hat’s packages
USENIX'09 Proceedings of the 2009 conference on USENIX Annual technical conference
Is open source security a myth?
Communications of the ACM
After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities
Journal of Systems Architecture: the EUROMICRO Journal
Scalable trust establishment with software reputation
Proceedings of the sixth ACM workshop on Scalable trusted computing
Are popular classes more defect prone?
FASE'10 Proceedings of the 13th international conference on Fundamental Approaches to Software Engineering
Learning from the future of component repositories
Proceedings of the 15th ACM SIGSOFT symposium on Component Based Software Engineering
Evaluating defect prediction approaches: a benchmark and an extensive comparison
Empirical Software Engineering
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Software vulnerability prediction using text analysis techniques
Proceedings of the 4th international workshop on Security measurements and metrics
Predicting vulnerable classes in an Android application
Proceedings of the 4th international workshop on Security measurements and metrics
Detecting and analyzing insecure component usage
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Measuring and ranking attacks based on vulnerability analysis
Information Systems and e-Business Management
Broken sets in software repository evolution
Proceedings of the 2013 International Conference on Software Engineering
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis
Proceedings of the 2013 International Conference on Software Engineering
Information and Software Technology
On software component co-installability
ACM Transactions on Software Engineering and Methodology (TOSEM) - Testing, debugging, and error handling, formal methods, lifecycle concerns, evolution and maintenance
An empirical study of vulnerability rewards programs
SEC'13 Proceedings of the 22nd USENIX conference on Security
Proceedings of the 23rd international conference on World wide web
| Hi-index | 0.02 |
Where do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect base for further investigations on what makes components vulnerable. In an investigation of the Mozilla vulnerability history, we surprisingly found that components that had a single vulnerability in the past were generally not likely to have further vulnerabilities. However, components that had similar imports or function calls were likely to be vulnerable. Based on this observation, we were able to extend Vulture by a simple predictor that correctly predicts about half of all vulnerable components, and about two thirds of all predictions are correct. This allows developers and project managers to focus their their efforts where it is needed most: "We should look at nsXPInstallManager because it is likely to contain yet unknown vulnerabilities.".