Software metrics (2nd ed.): a rigorous and practical approach
Software metrics (2nd ed.): a rigorous and practical approach
The prediction of faulty classes using object-oriented design metrics
Journal of Systems and Software
A Metrics Suite for Object Oriented Design
IEEE Transactions on Software Engineering
An empirical comparison and characterization of high defect and high complexity modules
Journal of Systems and Software
Mining software repositories to assist developers and support managers
Mining software repositories to assist developers and support managers
Mining metrics to predict component failures
Proceedings of the 28th international conference on Software engineering
Empirical relation between coupling and attackability in software systems:: a case study on DOS
Proceedings of the 2006 workshop on Programming languages and analysis for security
Data Mining Static Code Attributes to Learn Defect Predictors
IEEE Transactions on Software Engineering
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Threats on building models from CVS and Bugzilla repositories: the Mozilla case study
CASCON '07 Proceedings of the 2007 conference of the center for advanced studies on Collaborative research
Predicting Defective Software Components from Code Complexity Measures
PRDC '07 Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing
Security metrics for source code structures
Proceedings of the fourth international workshop on Software engineering for secure systems
An empirical model to predict security vulnerabilities using code complexity metrics
Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement
Is complexity really the enemy of software security?
Proceedings of the 4th ACM workshop on Quality of protection
Identification of defect-prone classes in telecommunication software systems using design metrics
Information Sciences: an International Journal
Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities
Journal of Systems Architecture: the EUROMICRO Journal
Concern-based cohesion as change proneness indicator: an initial empirical study
Proceedings of the 2nd International Workshop on Emerging Trends in Software Metrics
Hi-index | 0.00 |
It is difficult to detect vulnerabilities until they manifest themselves as security failures in the operational stage of software, because the security concerns are not addressed or known sufficiently early during software development. Complexity, coupling, and cohesion (CCC) related software metrics can be measured during the earlier phases of software development. If empirical relationships can be discovered between CCC metrics and vulnerabilities, these metrics could aid software developers to take proactive actions against potential vulnerabilities in software. In this paper, we conduct an extensive case study on Mozilla Firefox to provide empirical evidence on how vulnerabilities are related to complexity, coupling, and cohesion. We find that CCC metrics are correlated to vulnerabilities at a statistically significant level. We further examine the correlations to determine which level (design or code) of CCC metrics are better indicators of vulnerabilities. We also observe that the correlation patterns are stable across multiple releases of the software. These observations show that CCC metrics can be dependably used as early indicators of vulnerabilities in software.