Toward Non-security Failures as a Predictor of Security Faults and Failures
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Using security metrics coupled with predictive modeling and simulation to assess security processes
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Predicting vulnerable software components with dependency graphs
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Measuring and ranking attacks based on vulnerability analysis
Information Systems and e-Business Management
| Hi-index | 0.03 |
Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. An early security risk analysis that ranks software components by probability of being attacked can provide an affordable means to prioritizing fortification efforts to the highest risk components. We created a predictive model using classification and regression trees and the following internal metrics: quantity of Klocwork static analysis warnings, file coupling, and quantity of changed and added lines ofcode. We validated the model against pre-release security testing failures on a large commercial telecommunications system. The model assigned a probability of attack to each file where upon ranking the probabilities in descending order we found that 72% of the attack-prone files are in the top 10% of the ranked files and 90% in the top 20% of the files.