| Title | Investigating the Changes in Software Metrics after Vulnerability Is Fixed |
| Publication Type | Conference Paper |
| Year of Publication | 2021 |
| Authors | Zhou, Andy, Sultana, Kazi Zakia, Samanthula, Bharath K. |
| Conference Name | 2021 IEEE International Conference on Big Data (Big Data) |
| Keywords | big data security metrics, codes, Measurement, Metrics, Predictive models, predictive security metrics, pubcrawl, security metrics, software metric, software metrics, software security, static analysis, text mining, Vulnerability, Writing |
| Abstract | Preventing software vulnerabilities while writing code is one of the most effective ways for avoiding cyber attacks on any developed system. Although developers follow some standard guiding principles for ensuring secure code, the code can still have security bottlenecks and be compromised by an attacker. Therefore, assessing software security while developing code can help developers in writing vulnerability free code. Researchers have already focused on metrics-based and text mining based software vulnerability prediction models. The metrics based models showed higher precision in predicting vulnerabilities although the recall rate is low. In addition, current research did not investigate the impact of individual software metric on the occurrences of vulnerabilities. The main objective of this paper is to track the changes in every software metric after the developer fixes a particular vulnerability. The results of our research will potentially motivate further research on building more accurate vulnerability prediction models based on the appropriate software metrics. In particular, we have compared a total of 250 files from Apache Tomcat and Apache CXF. These files were extracted from the Apache database and were chosen because Apache released these files as vulnerable in their publicly available security advisories. Using a static analysis tool, metrics of the targeted vulnerable files and relevant fixed files (files where vulnerable code is removed by the developers) were extracted and compared. We show that eight of the 40 metrics have an average increase of 2% from vulnerable to fixed files. These metrics include CountDeclClass, CountDeclClassMethod, CountDeclClassVariable, CountDeclInstanceVariable, CountDeclMethodDefault, CountLineCode, MaxCyclomaticStrict, MaxNesting. This study will help developers to assess software security through utilizing software metrics in secure coding practices. |
| DOI | 10.1109/BigData52589.2021.9671334 |
| Citation Key | zhou_investigating_2021 |
Investigating the Changes in Software Metrics after Vulnerability Is Fixed