Refactoring: improving the design of existing code
Refactoring: improving the design of existing code
A Hierarchical Model for Object-Oriented Design Quality Assessment
IEEE Transactions on Software Engineering
The Art and Science of Computer Security
The Art and Science of Computer Security
Software Security: Building Security In
Software Security: Building Security In
Refactoring programs to secure information flows
Proceedings of the 2006 workshop on Programming languages and analysis for security
Proceedings of the 8th annual conference on Genetic and evolutionary computation
Pareto optimal search based refactoring at the design level
Proceedings of the 9th annual conference on Genetic and evolutionary computation
Search-based refactoring for software maintenance
Journal of Systems and Software
Security metrics for source code structures
Proceedings of the fourth international workshop on Software engineering for secure systems
Search-based refactoring: an empirical study
Journal of Software Maintenance and Evolution: Research and Practice - Search Based Software Engineering [SBSE]
A security architecture to protect against the insider threat from damage, fraud and theft
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Automated Design Improvement by Example
Proceedings of the 2007 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the sixth SoMeT_07
Security Metrics for Object-Oriented Class Designs
QSIC '09 Proceedings of the 2009 Ninth International Conference on Quality Software
Security Metrics for Object-Oriented Designs
ASWEC '10 Proceedings of the 2010 21st Australian Software Engineering Conference
On the use of genetic programming for automated refactoring and the introduction of design patterns
Proceedings of the 12th annual conference on Genetic and evolutionary computation
Assessing the Impact of Refactoring on Security-Critical Object-Oriented Designs
APSEC '10 Proceedings of the 2010 Asia Pacific Software Engineering Conference
Code-Imp: a tool for automated search-based refactoring
Proceedings of the 4th Workshop on Refactoring Tools
Automated Refactoring for Testability
ICSTW '11 Proceedings of the 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops
Search-based parallel refactoring using population-based direct approaches
SSBSE'11 Proceedings of the Third international conference on Search based software engineering
A Hierarchical Security Assessment Model for Object-Oriented Programs
QSIC '11 Proceedings of the 2011 11th International Conference on Quality Software
Automated Refactoring Using Design Differencing
CSMR '12 Proceedings of the 2012 16th European Conference on Software Maintenance and Reengineering
Hi-index | 0.00 |
Security metrics have been proposed to assess the security of software applications based on the principles of "reduce attack surface" and "grant least privilege." While these metrics can help inform the developer in choosing designs that provide better security, they cannot on their own show exactly how to make an application more secure. Even if they could, the onerous task of updating the software to improve its security is left to the developer. In this paper we present an approach to automated improvement of software security based on search-based refactoring. We use the search-based refactoring platform, Code-Imp, to refactor the code in a fully-automated fashion. The fitness function used to guide the search is based on a number of software security metrics. The purpose is to improve the security of the software immediately prior to its release and deployment. To test the value of this approach we apply it to an industrial banking application that has a strong security dimension, namely Wife. The results show an average improvement of 27.5% in the metrics examined. A more detailed analysis reveals that 15.5% of metric improvement results in real improvement in program security, while the remaining 12% of metric improvement is attributable to hitherto undocumented weaknesses in the security metrics themselves.