On the Use of Software Metrics as a Predictor of Software Security Problems

Abstract

Relying on one validation and verification (V&V) alone cannot detect all of the security problems of a software system. Each class of V&V effort detects different class(s) of faults in software. Even composing a series of V&V efforts, one can never be completely sure that all faults have been detected. Additionally, security-related V&V efforts must continuously be updated to handle the newest forms of exploits of underlying vulnerabilities in software. The alerts produced by automated static analysis (ASA) tools and other static metrics have been shown to be an effective estimator of the actual reliability in a software system. Predictions of defect density and high-risk components can be identified using static analyzers early in the development phase. Our research hypothesis is the actual number of security vulnerabilities in a software system can be predicted based upon the number of security-related alerts reported by one or more static analyzers and by other static metrics. We built and evaluated statistical prediction model are used to predict the actual overall security of a system.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2013
Accession Number
ADA581470

Entities

People

  • Laurie Williams

Organizations

  • North Carolina State University

Tags

Communities of Interest

  • Human Systems

DTIC Thesaurus Topics

  • Abstracts
  • Agreements
  • Analyzers
  • Case Studies
  • Computer Programming
  • Computer Programs
  • Department Of Defense
  • Engineering
  • Mathematics
  • Metrics
  • Predictive Modeling
  • Reliability
  • Security
  • Software Metrics
  • Students
  • Technology Transfer
  • Vulnerability

Fields of Study

  • Computer science
  • Engineering

Readers

  • Computational Modeling and Simulation
  • Cybersecurity.
  • Software Engineering.