Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox
Proceedings of the 6th International Workshop on Security Measurements and Metrics
After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Assessing modularity via usage changes
Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools
Hi-index | 0.00 |
Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. This limitation necessitates security risk management where security efforts are prioritized to the highest risk vulnerabilities that cause the most damage to the end user. We created a predictive model that identifies the software components that pose the highest security risk in order to prioritize security fortification efforts. The input variables to our model are available early in the software life cycle and include security-related static analysis tool warnings, code churn and size, and faults identified by manual inspections. These metrics are validated against vulnerabilities reported by testing and those found in the field. We evaluated our model on a large Cisco software system and found that 75.6% of the system's vulnerable components are in the top 18.6% of the components predicted to be vulnerable. The model's false positive rate is 47.4% of this top 18.6% or 9.1% of the total system components. We quantified the goodness of fit of our model to the Cisco data set using a receiver operating characteristic curve that shows 94.4% of the area is under the curve.