DocumentCode
1309720
Title
Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities
Author
Shin, Yonghee ; Meneely, Andrew ; Williams, Laurie ; Osborne, Jason A.
Author_Institution
Coll. of Comput. & Digital Media, DePaul Univ., Chicago, IL, USA
Volume
37
Issue
6
fYear
2011
Firstpage
772
Lastpage
787
Abstract
Security inspection and testing require experts in security who think like an attacker. Security experts need to know code locations on which to focus their testing and inspection efforts. Since vulnerabilities are rare occurrences, locating vulnerable code locations can be a challenging task. We investigated whether software metrics obtained from source code and development history are discriminative and predictive of vulnerable code locations. If so, security experts can use this prediction to prioritize security inspection and testing efforts. The metrics we investigated fall into three categories: complexity, code churn, and developer activity metrics. We performed two empirical case studies on large, widely used open-source projects: the Mozilla Firefox web browser and the Red Hat Enterprise Linux kernel. The results indicate that 24 of the 28 metrics collected are discriminative of vulnerabilities for both projects. The models using all three types of metrics together predicted over 80 percent of the known vulnerable files with less than 25 percent false positives for both projects. Compared to a random selection of files for inspection and testing, these models would have reduced the number of files and the number of lines of code to inspect or test by over 71 and 28 percent, respectively, for both projects.
Keywords
Linux; online front-ends; program testing; public domain software; software fault tolerance; software metrics; Mozilla Firefox Web browser; Red Hat enterprise Linux kernel; code churn; developer activity metrics; open-source projects; security inspection; software metrics; software vulnerabilities; source code; vulnerable code locations; Charge coupled devices; Complexity theory; Fault diagnosis; Predictive models; Software security; Fault prediction; software metrics; software security; vulnerability prediction.;
fLanguage
English
Journal_Title
Software Engineering, IEEE Transactions on
Publisher
ieee
ISSN
0098-5589
Type
jour
DOI
10.1109/TSE.2010.81
Filename
5560680
Link To Document