Abstract
Abstract : Relying on one validation and verification (V&V) alone cannot detect all of the security problems of a software system. Each class of V&V effort detects different class(s) of faults in software. Even composing a series of V&V efforts, one can never be completely sure that all faults have been detected. Additionally, security-related V&V efforts must continuously be updated to handle the newest forms of exploits of underlying vulnerabilities in software. The alerts produced by automated static analysis (ASA) tools and other static metrics have been shown to be an effective estimator of the actual reliability in a software system. Predictions of defect density and high-risk components can be identified using static analyzers early in the development phase. Our research hypothesis is the actual number of security vulnerabilities in a software system can be predicted based upon the number of security-related alerts reported by one or more static analyzers and by other static metrics. We built and evaluated statistical prediction model are used to predict the actual overall security of a system.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
