A study examining relationships between micro patterns and security vulnerabilities

Abstract

Software security is an integral part of software quality and reliability. Software vulnerabilities make the software susceptible to attacks which violates software security. Metric-based software vulnerability prediction is one way to evaluate vulnerabilities beforehand so that developers can take preventative measures against attacks. In this study, we explore the correlation between software vulnerabilities and code-level constructs called micro patterns. These code patterns characterize class-level object-oriented program features. Existing research addressed micro pattern correlation with software defects. We analyzed the correlation between vulnerabilities and micro patterns from different viewpoints and explored whether they are related. We studied the distribution of micro patterns and their associations with vulnerable classes in 42 versions of the Apache Tomcat and three Java web applications. This study shows that certain micro patterns are frequently present in vulnerable classes. We also show that there is a high correlation between certain patterns that coexist in a vulnerable class.