Presentation is loading. Please wait.

Presentation is loading. Please wait.

MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina.

Published byLiliana Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina."— Presentation transcript:

1 MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina State University 7 August 2007

2 2 Introducing Security Parallels Fault-prone component Likely to contain faults Failure-prone component Likely to have failures in field Component – any logical part of the software system [1] Make informed risk management decisions and prioritize redesign, inspection, and testing efforts on components. Reliability context (well-established) Security context (new) Vulnerability-prone component Likely to contain vulnerabilities Attack-prone component Likely to be exploited in the field [1] IEEE, "ANSI/IEEE Standard Glossary of Software Engineering Terminology (IEEE Std 610.12-1990)," Los Alamitos, CA: IEEE Computer Society Press, 1990.

3 3 Early Reliability Metrics Static analysis –N. Nagappan and T. Ball, "Static Analysis Tools as Early Indicators of Pre-release Defect Density," in International Conference on Software Engineering, St. Louis, MO, 2005, pp. 580-586. –J. Zheng, L. Williams, W. Snipes, N. Nagappan, J. Hudepohl, and M. Vouk, "On the Value of Static Analysis Tools for Fault Detection," IEEE Transactions on Software Engineering, vol. 32, pp. 240-253, 2006. Complexity metrics –J. Munson and T. Khoshgoftaar, "The Detection of Fault-Prone Programs," IEEE Transactions on Software Engineering, vol. 18, pp. 423-433, 1992. –T. Khoshgoftaar and J. Munson, "Predicting Software Development Errors using Software Complexity Metrics," IEEE Journal on Selected Areas in Communications, vol. 8, pp. 253- 261, 1990. Historical (failure) –N. Nagappan, T. Ball, and A. Zeller, "Mining metrics to predict component failures," in International Conference on Software Engineering, Shanghai, China, 2006. –T. J. Ostrand, E. J. Weyuker, and R. M. Bell, "Where the bugs are," in International Symposium on Software Testing and Analysis, Boston, Massachusetts, 2004, pp. 86-96 Object-Oriented metrics –V. Basili, L. Briand, and W. Melo, "A Validation of Object Oriented Design Metrics as Quality Indicators," IEEE Transactions on Software Engineering, vol. 21, 1996. –Y. Zhou and L. Hareton, "Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults," IEEE Transactions on Software Engineering, vol. 32, no. 10, 2006, pp. 771-789.

4 4 Research Objective Build and validate models for predicting vulnerability- and attack-prone components based upon security- based automated static analyzer (ASA) alerts –Metric: ASA alert density and severity – early in the development phase –ASA cannot find all types of security vulnerabilities Are ASA alerts a good predictor? –Implementation bugs, design flaws, operational vulnerabilities –Software engineers plug the number of security alerts into the predictive models to determine which components are vulnerability- and attack- prone.

5 5 Building the Initial Predictive Model Generalized linear model (data are not normally distributed) Poisson distribution? mean number vulnerabilities in component estimated intercept estimated slope value of random variable – alert density of component

6 6 Feasibility Study Fortify Software’s Source Code Analyzer (SCA) Scanned ten releases of Sendmail –8.12.2-8.12.11 –996 total files scanned 21 potential vulnerabilities –Vulnerabilities reported in RELEASE_NOTES Nine vulnerabilities with known exploits

7 7 Feasibility Study – vulnerability-prone Poisson distribution –Models the response data Reported vulnerability Association between Hot alert density and number of vulnerabilities per reported per file –Positive slope  positive association between alerts and reported vulnerabilities –p-value  high significance in association Standard error  substantial overdispersion –Few data points Slopep-valueChi-Square /df Goodness- of- fit measure Standard error 294.80690.00161.193993.3422

8 8 Feasibility Study – attack-prone Poisson distribution –Models the response data Number of known exploits (nine) for a Sendmail file Association between Hot alert density and number of known exploits –Slope  positive association between alerts and exploits p-value  low significance –Standard error  substantial overdispersion »Few data points Slopep-valueChi-Square /df Goodness- of- fit measure Standard error 140.43340.49801.2099207.2419

9 9 Questions Thank you! mcgegick@ncsu.edu

Download ppt "MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina."

Similar presentations

ICSE Doctoral Symposium | May 21, 2007 Adaptive Ranking Model for Ranking Code-Based Static Analysis Alerts Sarah Smith Heckman Advised by Laurie Williams.

ICSE Doctoral Symposium | May 21, 2007 Adaptive Ranking Model for Ranking Code-Based Static Analysis Alerts Sarah Smith Heckman Advised by Laurie Williams.
Testing and Quality Assurance

Testing and Quality Assurance
Early Effort Estimation of Business Data-processing Enhancements CS 689 November 30, 2000 By Kurt Detamore.

Early Effort Estimation of Business Data-processing Enhancements CS 689 November 30, 2000 By Kurt Detamore.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Software Reliability Engineering

Software Reliability Engineering
Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.

Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.
1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Case Studies Instructor Paulo Alencar.

1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Case Studies Instructor Paulo Alencar.
1 Predicting Bugs From History Software Evolution Chapter 4: Predicting Bugs from History T. Zimmermann, N. Nagappan, A Zeller.

1 Predicting Bugs From History Software Evolution Chapter 4: Predicting Bugs from History T. Zimmermann, N. Nagappan, A Zeller.
Metrics. Basili’s work Basili et al., A Validation of Object- Oriented Design Metrics As Quality Indicators, IEEE TSE Vol. 22, No. 10, Oct. 96 Predictors.

Metrics. Basili’s work Basili et al., A Validation of Object- Oriented Design Metrics As Quality Indicators, IEEE TSE Vol. 22, No. 10, Oct. 96 Predictors.
Mining Metrics to Predict Component Failures Nachiappan Nagappan, Microsoft Research Thomas Ball, Microsoft Research Andreas Zeller, Saarland University.

Mining Metrics to Predict Component Failures Nachiappan Nagappan, Microsoft Research Thomas Ball, Microsoft Research Andreas Zeller, Saarland University.
Prediction of fault-proneness at early phase in object-oriented development Toshihiro Kamiya †, Shinji Kusumoto † and Katsuro Inoue †‡ † Osaka University.

Prediction of fault-proneness at early phase in object-oriented development Toshihiro Kamiya †, Shinji Kusumoto † and Katsuro Inoue †‡ † Osaka University.
What causes bugs? Joshua Sunshine. Bug taxonomy Bug components: – Fault/Defect – Error – Failure Bug categories – Post/pre release – Process stage – Hazard.

What causes bugs? Joshua Sunshine. Bug taxonomy Bug components: – Fault/Defect – Error – Failure Bug categories – Post/pre release – Process stage – Hazard.
Analysis of CK Metrics “Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults” Yuming Zhou and Hareton Leung,

Analysis of CK Metrics “Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults” Yuming Zhou and Hareton Leung,
Prediction Basic concepts. Scope Prediction of:  Resources  Calendar time  Quality (or lack of quality)  Change impact  Process performance  Often.

Prediction Basic concepts. Scope Prediction of:  Resources  Calendar time  Quality (or lack of quality)  Change impact  Process performance  Often.
Software Quality Metrics

Software Quality Metrics
Reliability and Software metrics Done by: Tayeb El Alaoui Software Engineering II Course.

Reliability and Software metrics Done by: Tayeb El Alaoui Software Engineering II Course.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
1 Finding Predictors of Field Defects for Open Source Software Systems in Commonly Available Data Sources: a Case Study of OpenBSD Paul Luo Li Jim Herbsleb.

1 Finding Predictors of Field Defects for Open Source Software Systems in Commonly Available Data Sources: a Case Study of OpenBSD Paul Luo Li Jim Herbsleb.
Ugo Giordano Tutor: Prof. Stefano Russo XXIX Cycle - I year presentation Cloud systems overload management.

Ugo Giordano Tutor: Prof. Stefano Russo XXIX Cycle - I year presentation Cloud systems overload management.
Software Process and Product Metrics

Software Process and Product Metrics

Similar presentations

Ads by Google