Visible to the public Software Metrics as Indicators of Security Vulnerabilities

TitleSoftware Metrics as Indicators of Security Vulnerabilities
Publication TypeConference Paper
Year of Publication2017
AuthorsMedeiros, N., Ivaki, N., Costa, P., Vieira, M.
Conference Name2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE)
Date Publishedoct
ISBN Number978-1-5386-0941-5
Keywordscoding theory, Complexity theory, compositionality, Correlation, correlation coefficients, cryptography, feature selection, file levels, function levels, heuristic search technique, Metrics, nonvulnerable code, pubcrawl, resilience, Resiliency, search problems, security, security of data, security vulnerabilities, software architectural characteristics, software architecture, software metrics, software operational phase, software quality, software security vulnerabilities, Software systems, vulnerable software units

Detecting software security vulnerabilities and distinguishing vulnerable from non-vulnerable code is anything but simple. Most of the time, vulnerabilities remain undisclosed until they are exposed, for instance, by an attack during the software operational phase. Software metrics are widely-used indicators of software quality, but the question is whether they can be used to distinguish vulnerable software units from the non-vulnerable ones during development. In this paper, we perform an exploratory study on software metrics, their interdependency, and their relation with security vulnerabilities. We aim at understanding: i) the correlation between software architectural characteristics, represented in the form of software metrics, and the number of vulnerabilities; and ii) which are the most informative and discriminative metrics that allow identifying vulnerable units of code. To achieve these goals, we use, respectively, correlation coefficients and heuristic search techniques. Our analysis is carried out on a dataset that includes software metrics and reported security vulnerabilities, exposed by security attacks, for all functions, classes, and files of five widely used projects. Results show: i) a strong correlation between several project-level metrics and the number of vulnerabilities, ii) the possibility of using a group of metrics, at both file and function levels, to distinguish vulnerable and non-vulnerable code with a high level of accuracy.

Citation Keymedeiros_software_2017