Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components

@inproceedings{citeulike:2681708, abstract = {Extensive research has shown that software metrics can be used to identify fault- and failure-prone components. These metrics can also give early indications of overall software quality. We seek to parallel the identification and prediction of fault- and failure-prone components in the reliability context with vulnerability- and attack-prone components in the security context. Our research will correlate the quantity and severity of alerts generated by source code static analyzers to vulnerabilities discovered by manual analyses and testing. A strong correlation may indicate that automated static analyzers (ASA), a potentially early technique for vulnerability identification in the development phase, can identify high risk areas in the software system. Based on the alerts, we may be able to predict the presence of more complex and abstract vulnerabilities involved with the design and operation of the software system. An early knowledge of vulnerability can allow software engineers to make informed risk management decisions and prioritize redesign, inspection, and testing efforts. This paper presents our research objective and methodology.}, author = {Gegick, M. and Williams, L. }, booktitle = {Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on}, citeulike-article-id = {2681708}, doi = {10.1109/ICIMP.2007.46}, journal = {Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on}, keywords = {bachelor\_thesis, security, vulnerability}, pages = {18}, posted-at = {2008-04-17 13:16:39}, priority = {3}, title = {Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components}, url = {http://dx.doi.org/10.1109/ICIMP.2007.46}, year = {2007} }

TY - CONF ID - citeulike:2681708 L3 - citeulike-article-id:2681708 TI - Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components T2 - Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on JF - Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on SP - 18 EP - 18 N2 - Extensive research has shown that software metrics can be used to identify fault- and failure-prone components. These metrics can also give early indications of overall software quality. We seek to parallel the identification and prediction of fault- and failure-prone components in the reliability context with vulnerability- and attack-prone components in the security context. Our research will correlate the quantity and severity of alerts generated by source code static analyzers to vulnerabilities discovered by manual analyses and testing. A strong correlation may indicate that automated static analyzers (ASA), a potentially early technique for vulnerability identification in the development phase, can identify high risk areas in the software system. Based on the alerts, we may be able to predict the presence of more complex and abstract vulnerabilities involved with the design and operation of the software system. An early knowledge of vulnerability can allow software engineers to make informed risk management decisions and prioritize redesign, inspection, and testing efforts. This paper presents our research objective and methodology. KW - bachelor_thesis KW - security KW - vulnerability AU - Gegick, M AU - Williams, L PY - 2007/// UR - http://dx.doi.org/10.1109/ICIMP.2007.46 ER -