Software security being one of the primary concerns in the software engineering community, researchers are coming up with many preemptive approaches aiming to minimize the vulnerabilities in the software. These approaches, dominated by static and dynamic analysis of the code often with machine learning (ML) techniques, are designed to detect vulnerabilities in the post-implementation stage of the software development life-cycle (SDLC). While they are found to be effective in detecting vulnerabilities, the consequences are often expensive. Accommodating changes after detecting a vulnerability in the system in later stages of the SDLC is very costly, sometimes even infeasible as it may involve changes in design or architecture. Moreover, the root of a vulnerability can often be traced back to the requirements specification. On that account, Imtiaz and Bhowmik have advocated a novel framework to provide an additional measure of predicting vulnerabilities at earlier stages of the SDLC. In this study, we build upon their proposed framework and leverage state-of-the-art ML algorithms to predict vulnerabilities for new requirements. We also present a case study on a large open-source-software (OSS) system, Firefox, evaluating the effectiveness of the extended prediction module. The results demonstrate that the framework could be a viable complement to the traditional yulnerability-fighting approaches.
Imtiaz, S., Amin, M.R., Do, A.Q., Iannucci, S., Bhowmik, T. (2021). Predicting Vulnerability for Requirements. In Proceedings - 2021 IEEE 22nd International Conference on Information Reuse and Integration for Data Science, IRI 2021 (pp.160-167). Institute of Electrical and Electronics Engineers Inc. [10.1109/IRI51335.2021.00028].
Predicting Vulnerability for Requirements
Iannucci S.;
2021-01-01
Abstract
Software security being one of the primary concerns in the software engineering community, researchers are coming up with many preemptive approaches aiming to minimize the vulnerabilities in the software. These approaches, dominated by static and dynamic analysis of the code often with machine learning (ML) techniques, are designed to detect vulnerabilities in the post-implementation stage of the software development life-cycle (SDLC). While they are found to be effective in detecting vulnerabilities, the consequences are often expensive. Accommodating changes after detecting a vulnerability in the system in later stages of the SDLC is very costly, sometimes even infeasible as it may involve changes in design or architecture. Moreover, the root of a vulnerability can often be traced back to the requirements specification. On that account, Imtiaz and Bhowmik have advocated a novel framework to provide an additional measure of predicting vulnerabilities at earlier stages of the SDLC. In this study, we build upon their proposed framework and leverage state-of-the-art ML algorithms to predict vulnerabilities for new requirements. We also present a case study on a large open-source-software (OSS) system, Firefox, evaluating the effectiveness of the extended prediction module. The results demonstrate that the framework could be a viable complement to the traditional yulnerability-fighting approaches.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
