A hierarchical model for quantifying software security based on static analysis alerts and software metrics

被引:0
作者
Miltiadis Siavvas
Dionysios Kehagias
Dimitrios Tzovaras
Erol Gelenbe
机构
[1] Imperial College London,Institute of Theoretical & Applied Informatics
[2] Centre for Research and Technology Hellas,undefined
[3] Polish Academy of Sciences,undefined
来源
Software Quality Journal | 2021年 / 29卷
关键词
Software Security; Software Quality Evaluation; Security Assessment;
D O I
暂无
中图分类号
学科分类号
摘要
Despite the acknowledged importance of quantitative security assessment in secure software development, current literature still lacks an efficient model for measuring internal software security risk. To this end, in this paper, we introduce a hierarchical security assessment model (SAM), able to assess the internal security level of software products based on low-level indicators, i.e., security-relevant static analysis alerts and software metrics. The model, following the guidelines of ISO/IEC 25010, and based on a set of thresholds and weights, systematically aggregates these low-level indicators in order to produce a high-level security score that reflects the internal security level of the analyzed software. The proposed model is practical, since it is fully automated and operationalized in the form of a standalone tool and as part of a broader Computer-Aided Software Engineering (CASE) platform. In order to enhance its reliability, the thresholds of the model were calibrated based on a repository of 100 popular software applications retrieved from Maven Repository. Furthermore, its weights were elicited in a way to chiefly reflect the knowledge expressed by the Common Weakness Enumeration (CWE), through a novel weights elicitation approach grounded on popular decision-making techniques. The proposed model was evaluated on a large repository of 150 open-source software applications retrieved from GitHub and 1200 classes retrieved from the OWASP Benchmark. The results of the experiments revealed the capacity of the proposed model to reliably assess internal security at both product level and class level of granularity, with sufficient discretion power. They also provide preliminary evidence for the ability of the model to be used as the basis for vulnerability prediction. To the best of our knowledge, this is the first fully automated, operationalized and sufficiently evaluated security assessment model in the modern literature.
引用
收藏
页码:431 / 507
页数:76
相关论文
共 81 条
[1]  
Alhazmi OH(2007)Measuring, analyzing and predicting security vulnerabilities in software systems Computers and Security 26 219-228
[2]  
Malaiya YK(2012)Standardized code quality benchmarking for improving software maintainability Software Quality Journal 20 287-307
[3]  
Ray I(2002)A hierarchical model for object-oriented design quality assessment IEEE Transactions on Software Engineering 28 4-17
[4]  
Baggen R(2014)Heartbleed 101 IEEE Security Privacy 12 63-67
[5]  
Correia JP(2004)Static analysis for security Security & Privacy, IEEE 2 76-79
[6]  
Schill K(1994)A Metrics Suite for Object Oriented Design IEEE Transactions on Software Engineering 20 476-493
[7]  
Visser J(2012)Prioritization of software security intangible attributes ACM SIGSOFT Software Engineering Notes 37 1-30
[8]  
Bansiya J(1993)The wycash portfolio management system ACM SIGPLAN OOPS Messenger 4 29-162
[9]  
Davis C(1995)A model for software product quality IEEE Transactions on Software Engineering 21 146-325
[10]  
Carvalho M(1994)SMARTS and SMARTER: Improved Simple Methods for Multiattribute Utility Measurement Organizational Behavior and Human Decision Processes 60 306-33
123456789