The coupling effect: fact or fiction
TAV3 Proceedings of the ACM SIGSOFT '89 third symposium on Software testing, analysis, and verification
The Detection of Fault-Prone Programs
IEEE Transactions on Software Engineering
A Validation of Object-Oriented Design Metrics as Quality Indicators
IEEE Transactions on Software Engineering
Estimating software fault-proneness for tuning testing activities
Proceedings of the 22nd international conference on Software engineering
Classification Tree Models of Software Quality Over Multiple Releases
ISSRE '99 Proceedings of the 10th International Symposium on Software Reliability Engineering
Software vulnerability analysis
Software vulnerability analysis
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Use of relative code churn measures to predict system defect density
Proceedings of the 27th international conference on Software engineering
Static analysis tools as early indicators of pre-release defect density
Proceedings of the 27th international conference on Software engineering
Putting the Tools to Work: How to Succeed with Source Code Analysis
IEEE Security and Privacy
Predicting component failures at design time
Proceedings of the 2006 ACM/IEEE international symposium on Empirical software engineering
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
On the Value of Static Analysis for Fault Detection in Software
IEEE Transactions on Software Engineering
IEEE Spectrum
Toward Non-security Failures as a Predictor of Security Faults and Failures
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Predicting vulnerable software components with dependency graphs
Proceedings of the 6th International Workshop on Security Measurements and Metrics
The beauty and the beast: vulnerabilities in red hat’s packages
USENIX'09 Proceedings of the 2009 conference on USENIX Annual technical conference
Detection of recurring software vulnerabilities
Proceedings of the IEEE/ACM international conference on Automated software engineering
Interactive churn metrics: socio-technical variants of code churn
ACM SIGSOFT Software Engineering Notes
Measuring and ranking attacks based on vulnerability analysis
Information Systems and e-Business Management
Information and Software Technology
Dowsing for overflows: a guided fuzzer to find buffer boundary violations
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. We create predictive models to identify which components are likely to have the most security risk. Software engineers can use these models to make measurement-based risk management decisions and to prioritize software security fortification efforts, such as redesign and additional inspection and testing. We mined and analyzed data from a large commercial telecommunications software system containing over one million lines of code that had been deployed to the field for two years. Using recursive partitioning, we built attack-prone prediction models with the following code-level metrics: static analysis tool alert density, code churn, and count of source lines of code. One model identified 100% of the attack-prone components (40% of the total number of components) with an 8% false positive rate. As such, the model could be used to prioritize fortification efforts in the system.