Towards the application of recommender systems to secure coding

Fitzroy D. Nembhard,Thomas C. Eskridge,Marco M. Carvalho

doi:10.1186/s13635-019-0092-4

Fitzroy D. Nembhard, Thomas C. Eskridge + Show 1 more

Open Access

https://doi.org/10.1186/s13635-019-0092-4

Copy DOI

Abstract

Secure coding is crucial for the design of secure and efficient software and computing systems. However, many programmers avoid secure coding practices for a variety of reasons. Some of these reasons are lack of knowledge of secure coding standards, negligence, and poor performance of and usability issues with existing code analysis tools. Therefore, it is essential to create tools that address these issues and concerns. This article features the proposal, development, and evaluation of a recommender system that uses text mining techniques, coupled with IntelliSense technology, to recommend fixes for potential vulnerabilities in program code. The resulting system mines a large code base of over 1.6 million Java files using the MapReduce methodology, creating a knowledge base for a recommender system that provides fixes for taint-style vulnerabilities. Formative testing and a usability study determined that surveyed participants strongly believed that a recommender system would help programmers write more secure code.

Highlights

Data breaches continue to plague organizations across the globe
(2) How useful are the advice/recommendations provided by existing tools? This question was presented to participants who indicated that they currently take advantage of existing code analyzers. 25.81% of this group of participants described as “helpful” the recommendations they received from the scanners they used and 67.74% reported that the advice given was “somewhat helpful” in fixing vulnerabilities
Themes that emerged from the survey Several important themes stood out in the responses provided by participants in the knowledge elicitation survey as evaluated using the grounded theory approach [74]

Summary

Introduction

Data breaches continue to plague organizations across the globe. The 2017 Cost of Data Breach Study conducted by the Ponemon Institute shows that the average total cost of a data breach is US$3.62 million [1]. One of the main causes of data breaches is code-level vulnerabilities [2, 3]. A 2017 report by Tricentis shows that for 11 months in 2016, news articles reported at least 3 software failures per month that were caused by code-level vulnerabilities [4]. These statistics emphasize the need for improved security analytics techniques. If data breaches and other securityrelated issues are to be resolved, it is imperative that developers have useful and effective tools at their disposal to help them write secure code

Objectives

Methods

Results

Conclusion