DID YOU KNOW? DTIC has over 3.5 million final reports on DoD funded research, development, test, and evaluation activities available to our registered users. Click
HERE to register or log in.
Accession Number:
ADA581470
Title:
On the Use of Software Metrics as a Predictor of Software Security Problems
Descriptive Note:
Final rept. 1 Jun 2009-31 Oct 2012
Corporate Author:
NORTH CAROLINA STATE UNIV AT RALEIGH
Report Date:
2013-01-01
Pagination or Media Count:
9.0
Abstract:
Relying on one validation and verification VV alone cannot detect all of the security problems of a software system. Each class of VV effort detects different classs of faults in software. Even composing a series of VV efforts, one can never be completely sure that all faults have been detected. Additionally, security-related VV efforts must continuously be updated to handle the newest forms of exploits of underlying vulnerabilities in software. The alerts produced by automated static analysis ASA tools and other static metrics have been shown to be an effective estimator of the actual reliability in a software system. Predictions of defect density and high-risk components can be identified using static analyzers early in the development phase. Our research hypothesis is the actual number of security vulnerabilities in a software system can be predicted based upon the number of security-related alerts reported by one or more static analyzers and by other static metrics. We built and evaluated statistical prediction model are used to predict the actual overall security of a system.
Distribution Statement:
APPROVED FOR PUBLIC RELEASE
