Abstract
Security has become the Achilles’ heel of most modern software systems. Techniques ranging from the manual inspection to automated static and dynamic analyses are commonly employed to identify security vulnerabilities prior to the release of the software. However, these techniques are time consuming and cannot keep up with the complexity of ever-growing software repositories (e.g., Google Play and Apple App Store). In this paper, we aim to improve the status quo and increase the efficiency of static analysis by mining relevant information from vulnerabilities found in the categorized software repositories. The approach relies on the fact that many modern software systems are developed using rich application development frameworks (ADF), allowing us to raise the level of abstraction for detecting vulnerabilities and thereby making it possible to classify the types of vulnerabilities that are encountered in a given category of application. We used open-source software repositories comprising more than 7 million lines of code to demonstrate how our approach can improve the efficiency of static analysis, and in turn, vulnerability detection.
Chapter PDF
Similar content being viewed by others
References
Symantec Corp.: 2012 norton study (2012)
Gartner Inc.: Gartner reveals top predictions for IT organizations and users for 2012 and beyond (2011)
McGraw, G.: Testing for security during development: why we should scrap penetrate-and-patch. In: Are We Making Progress Towards Computer Assurance? Proceedings of the 12th Annual Conference on Computer Assurance, COMPASS 1997, pp. 117–119 (1997)
McGraw, G.: Automated code review tools for security. Computer 41, 108–111 (2008)
Android: Official blog (officialandroid.blogspot.com)
Muslu, K., et al.: Making offline analyses continuous. In: Int’l Symp. on the Foundations of Software Engineering, Saint Petersburg, Russia, pp. 323–333 (2013)
Linares-Vsquez, M., et al.: On using machine learning to automatically classify software applications into domain categories. Empirical Software Engineering, 1–37 (2012)
Binkley, D.: Source code analysis: A road map. In: Int’l Conf. on Software Engineering, Minneapolis, Minnesota, pp. 104–119 (2007)
Enck, W., et al.: A study of android application security. In: Proceedings of the 20th USENIX Security Symposium, vol. 2011 (2011)
HP Enterprise Security: (Static application security testing)
Ware, M.S., Fox, C.J.: Securing java code: heuristics and an evaluation of static analysis tools. In: Proceedings of the 2008 Workshop on Static Analysis, SAW 2008, Tucson, Arizona, pp. 12–21. ACM (2008)
Checkstyle: Enforce coding standards (checkstyle.sourceforge.net)
Eclipse: Eclipse test & performance tools platform project, http://www.eclipse.org/tptp
Hovemeyer, D., Pugh, W.: Finding bugs is easy. ACM Sigplan Notices 39, 92–106 (2004)
Jlint: Find bugs in java programs (jlint.sourceforge.net)
Lint4j: Lint4j overview, http://www.jutils.com
PMD: Source code analyzer (pmd.sourceforge.net)
QJ-Pro: Code analyzer for java (qjpro.sourceforge.net)
Bertsekas, D.P., Tsitsiklis, J.N.: Introduction to Probability, 2nd edn. Athena Scientific (2008)
Tan, P.N., et al.: Introduction to Data Mining, 1st edn. Addison Wesley (2005)
Hovsepyan, A., et al.: Software vulnerability prediction using text analysis techniques. In: Proceedings of the 4th International Workshop on Security Measurements and Metrics, pp. 7–10 (2012)
Neuhaus, S., et al.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540 (2007)
Shin, Y., et al.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Transactions on Software Engineering 37, 772–787 (2011)
Scandariato, R., Walden, J.: Predicting vulnerable classes in an android application. In: Proceedings of the 4th International Workshop on Security Measurements and Metrics, pp. 11–16 (2012)
Zimmermann, T., et al.: Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista. In: 2010 Third International Conference on Software Testing, Verification and Validation (ICST), pp. 421–428 (2010)
Shabtai, A., et al.: Google android: A comprehensive security assessment. IEEE Security & Privacy 8, 35–44 (2010)
Enck, W., et al.: Understanding android security. IEEE Security & Privacy 7, 50–57 (2009)
Mahmood, R., et al.: A whitebox approach for automated security testing of android applications on the cloud. In: 2012 7th International Workshop on Automation of Software Test (AST), pp. 22–28 (2012)
Gilbert, P., et al.: Vision: automated security validation of mobile apps at app markets. In: Proceedings of the Second International Workshop on Mobile Cloud Computing and Services, pp. 21–26 (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sadeghi, A., Esfahani, N., Malek, S. (2014). Mining the Categorized Software Repositories to Improve the Analysis of Security Vulnerabilities. In: Gnesi, S., Rensink, A. (eds) Fundamental Approaches to Software Engineering. FASE 2014. Lecture Notes in Computer Science, vol 8411. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54804-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-54804-8_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54803-1
Online ISBN: 978-3-642-54804-8
eBook Packages: Computer ScienceComputer Science (R0)