An Empirical Model to Predict Security Vulnerabilities using Code Complexity Metrics

被引:0
|
作者
Shin, Yonghee [1 ]
Williams, Laurie [1 ]
机构
[1] N Carolina State Univ, Dept Comp Sci, Raleigh, NC 27695 USA
来源
ESEM'08: PROCEEDINGS OF THE 2008 ACM-IEEE INTERNATIONAL SYMPOSIUM ON EMPIRICAL SOFTWARE ENGINEERING AND MEASUREMENT | 2008年
关键词
Measurement; Reliability; Security;
D O I
暂无
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Complexity is often hypothesized to be the enemy of software security. If this hypothesis is true, complexity metrics may be used to predict the locale of security problems and can be used to prioritize inspection and testing efforts. We performed statistical analysis on nine complexity metrics from the JavaScript Engine in the Mozilla application framework to find differences in code metrics between vulnerable and non-vulnerable code and to predict vulnerabilities. Our initial results show that complexity metrics can predict vulnerabilities at a low false positive rate, but at a high false negative rate.
引用
收藏
页码:315 / 317
页数:3
相关论文
共 50 条
  • [21] Is it possible to predict QA failures using plan complexity metrics?
    Russo, S.
    Della Gala, G.
    Bettarini, S.
    Ghirelli, A.
    Esposito, M.
    Pini, S.
    Ghafour, H. O.
    Hernandez, V.
    RADIOTHERAPY AND ONCOLOGY, 2021, 161 : S740 - S742
  • [22] Software Metrics and Security Vulnerabilities: Dataset and Exploratory Study
    Alves, Henrique
    Fonseca, Baldoino
    Antunes, Nuno
    2016 12TH EUROPEAN DEPENDABLE COMPUTING CONFERENCE (EDCC 2016), 2016, : 37 - 44
  • [23] Novel Security Metrics for Ranking Vulnerabilities in Computer Networks
    Keramati, Marjan
    Keramati, Mahsa
    2014 7TH INTERNATIONAL SYMPOSIUM ON TELECOMMUNICATIONS (IST), 2014, : 883 - 888
  • [24] Predicting Vulnerabilities in Computer Source Code Using Non-Investigated Software Metrics
    Agbenyegah, Francis Kwadzo
    Chen, Jinfu
    Asante, Micheal
    Akpaku, Ernest
    SOFTWARE QUALITY JOURNAL, 2025, 33 (01)
  • [25] Security risk metrics: Fusing enterprise objectives and vulnerabilities
    Clark, K
    Dawkins, J
    HAle, J
    Proceedings from the Sixth Annual IEEE Systems, Man and Cybernetics Information Assurance Workshop, 2005, : 388 - 393
  • [26] Detection of Security Vulnerabilities Using Guided Model Checking
    Tsitovich, Aliaksei
    LOGIC PROGRAMMING, PROCEEDINGS, 2008, 5366 : 822 - 823
  • [27] Detection of Security Vulnerabilities in C Code Using Runtime Verification: An Experience Report
    Vorobyov, Kostyantyn
    Kosmatov, Nikolai
    Signoles, Julien
    TESTS AND PROOFS, TAP 2018, 2018, 10889 : 139 - 156
  • [28] Empirical analysis of security vulnerabilities in Python packages
    Mahmoud Alfadel
    Diego Elias Costa
    Emad Shihab
    Empirical Software Engineering, 2023, 28
  • [29] Competition and patching of security vulnerabilities: An empirical analysis
    Arora, Ashish
    Forman, Chris
    Nandkumar, Anand
    Telang, Rahul
    INFORMATION ECONOMICS AND POLICY, 2010, 22 (02) : 164 - 177
  • [30] Using code metrics to predict maintenance of legacy programs: a case study
    Polo, M
    Piattini, M
    Ruiz, F
    IEEE INTERNATIONAL CONFERENCE ON SOFTWARE MAINTENANCE, PROCEEDINGS: SYSTEMS AND SOFTWARE EVOLUTION IN THE ERA OF THE INTERNET, 2001, : 202 - 208
12345