Accession Number : ADA581470


Title :   On the Use of Software Metrics as a Predictor of Software Security Problems


Descriptive Note : Final rept. 1 Jun 2009-31 Oct 2012


Corporate Author : NORTH CAROLINA STATE UNIV AT RALEIGH


Personal Author(s) : Williams, Laurie


Full Text : https://apps.dtic.mil/dtic/tr/fulltext/u2/a581470.pdf


Report Date : Jan 2013


Pagination or Media Count : 9


Abstract : Relying on one validation and verification (V&V) alone cannot detect all of the security problems of a software system. Each class of V&V effort detects different class(s) of faults in software. Even composing a series of V&V efforts, one can never be completely sure that all faults have been detected. Additionally, security-related V&V efforts must continuously be updated to handle the newest forms of exploits of underlying vulnerabilities in software. The alerts produced by automated static analysis (ASA) tools and other static metrics have been shown to be an effective estimator of the actual reliability in a software system. Predictions of defect density and high-risk components can be identified using static analyzers early in the development phase. Our research hypothesis is the actual number of security vulnerabilities in a software system can be predicted based upon the number of security-related alerts reported by one or more static analyzers and by other static metrics. We built and evaluated statistical prediction model are used to predict the actual overall security of a system.


Descriptors :   *COMPUTER SECURITY , *SOFTWARE METRICS , COMPUTER PROGRAMS , SECURITY , STATISTICAL ANALYSIS , VALIDATION , VERIFICATION


Subject Categories : Computer Systems Management and Standards


Distribution Statement : APPROVED FOR PUBLIC RELEASE