On the Use of Software Metrics as a Predictor of Software Security Problems
Final rept. 1 Jun 2009-31 Oct 2012
NORTH CAROLINA STATE UNIV AT RALEIGH
Pagination or Media Count:
Relying on one validation and verification VV alone cannot detect all of the security problems of a software system. Each class of VV effort detects different classs of faults in software. Even composing a series of VV efforts, one can never be completely sure that all faults have been detected. Additionally, security-related VV efforts must continuously be updated to handle the newest forms of exploits of underlying vulnerabilities in software. The alerts produced by automated static analysis ASA tools and other static metrics have been shown to be an effective estimator of the actual reliability in a software system. Predictions of defect density and high-risk components can be identified using static analyzers early in the development phase. Our research hypothesis is the actual number of security vulnerabilities in a software system can be predicted based upon the number of security-related alerts reported by one or more static analyzers and by other static metrics. We built and evaluated statistical prediction model are used to predict the actual overall security of a system.
- Computer Systems Management and Standards