Visible to the public A Proposed Approach to Build an Automated Software Security Assessment Framework using Mined Patterns and Metrics

Submitted by aekwall on Mon, 03/02/2020 - 12:30pm
TitleA Proposed Approach to Build an Automated Software Security Assessment Framework using Mined Patterns and Metrics
Publication TypeConference Paper
Year of Publication2019
AuthorsSultana, Kazi Zakia, Chong, Tai-Yin
Conference Name2019 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC)
Date Publishedaug
Keywordsautomated framework, Automated Secure Software Engineering, automated software security assessment framework, building security-specific metrics, coding theory, Complexity theory, composability, Computing Theory, current software metrics, data mining, encoding, estimated security level, existing nanopatterns, generic patterns, graph theory, human factors, Java, Java method-level traceable patterns, machine learning, Metrics, mined patterns, patterns, pubcrawl, reliable software, Resiliency, Scalability, secure code, security, security metrics, security of data, security-centric, security-specific properties, Software, software metrics, software security, software security level, Software Vulnerability, text analysis, Tools, Ubiquitous Computing Security, Vulnerability prediction
Abstract

Software security is a major concern of the developers who intend to deliver a reliable software. Although there is research that focuses on vulnerability prediction and discovery, there is still a need for building security-specific metrics to measure software security and vulnerability-proneness quantitatively. The existing methods are either based on software metrics (defined on the physical characteristics of code; e.g. complexity or lines of code) which are not security-specific or some generic patterns known as nano-patterns (Java method-level traceable patterns that characterize a Java method or function). Other methods predict vulnerabilities using text mining approaches or graph algorithms which perform poorly in cross-project validation and fail to be a generalized prediction model for any system. In this paper, we envision to construct an automated framework that will assist developers to assess the security level of their code and guide them towards developing secure code. To accomplish this goal, we aim to refine and redefine the existing nano-patterns and software metrics to make them more security-centric so that they can be used for measuring the software security level of a source code (either file or function) with higher accuracy. In this paper, we present our visionary approach through a series of three consecutive studies where we (1) will study the challenges of the current software metrics and nano-patterns in vulnerability prediction, (2) will redefine and characterize the nano-patterns and software metrics so that they can capture security-specific properties of code and measure the security level quantitatively, and finally (3) will implement an automated framework for the developers to automatically extract the values of all the patterns and metrics for the given code segment and then flag the estimated security level as a feedback based on our research results. We accomplished some preliminary experiments and presented the results which indicate that our vision can be practically implemented and will have valuable implications in the community of software security.
DOI10.1109/CSE/EUC.2019.00042
Citation Keysultana_proposed_2019
Groups: