James Walden

Predicting Vulnerable Software Components via Text Mining

This paper presents an approach based on machine learning to predict which components of a software application contain security vulnerabilities. The approach is based on text mining the source code of the components. Namely, each component is characterized as a series of terms contained in its source code, with the associated frequencies. These features are used to forecast whether each component is likely to contain vulnerabilities. In an exploratory validation with 20 Android applications, we discovered that a dependable prediction model can be built. Such model could be useful to prioritize the validation activities, e.g., to identify the components needing special scrutiny.

Predicting Vulnerable Components: Software Metrics vs Text Mining

Building secure software is difficult, time-consuming, and expensive. Prediction models that identify vulnerability prone software components can be used to focus security efforts, thus helping to reduce the time and effort required to secure software. Several kinds of vulnerability prediction models have been proposed over the course of the past decade. However, these models were evaluated with differing methodologies and datasets, making it difficult to determine the relative strengths and weaknesses of different modeling techniques. In this paper, we provide a high-quality, public dataset, containing 223 vulnerabilities found in three web applications, to help address this issue. We used this dataset to compare vulnerability prediction models based on text mining with models using software metrics as predictors. We found that text mining models had higher recall than software metrics based models for all three applications.

SU(3) breaking in neutral current axial matrix elements and the spin content of the nucleon

We examine the effects of SU(3) breaking in the matrix elements of the flavor-diagonal axial-vector currents between octet baryon states. Our calculations of K, {eta}, and {pi} loops indicate that the SU(3) breaking may be substantial for some matrix elements and at the very least indicate large uncertainties. In particular, the strange axial matrix element in the proton determined from the measurements of g{sub 1}(x) is found to have large uncertainties and might yet be zero. We estimate the strange axial matrix element in the proton to be {minus}0.35{approx_lt}{Delta}s{approx_lt}0 and the matrix element of the flavor-singlet current in the proton to be {minus}0.1{approx_lt}{Sigma}{approx_lt}+0.3 from the E143 measurement of {integral}dxg{sub 1}(x)=0.127{plus_minus}0.004{plus_minus}0.010. The up-quark content of the {Xi}{sup {minus}} is discussed and its implications for nonleptonic weak processes discussed. We also estimate the matrix element of the axial-vector current coupling to the Z{sup 0} between all octet baryon states. This may be important for neutrino interactions in dense nuclear environments, where hyperons may play an important role. {copyright} {ital 1997} {ital The American Physical Society}

Security of open source web applications

In an empirical study of fourteen widely used open source PHP web applications, we found that the vulnerability density of the aggregate code base decreased from 8.88 vulnerabilities/KLOC to 3.30 from Summer 2006 to Summer 2008. Individual web applications varied widely, with vulnerability densities ranging from 0 to 121.4 at the beginning of the study. While the total number of security problems decreased, vulnerability density increased in eight of the fourteen applications over the analysis period. We developed a security resources indicator metric, which we found to be strongly correlated (ρ =0.67,p < 0.05) with change in vulnerability density over time. Traditional software metrics, such as code size, cyclomatic complexity, nesting complexity, and churn, had significant (p < 0.05) but much smaller correlations (ρ = 0.31 at best) with vulnerability density. Vulnerability density was measured using the Fortify Source Code Analyzer static analysis tool.

Static analysis versus penetration testing: A controlled experiment

Suppose you have to assemble a security team, which is tasked with performing the security analysis of your organizations latest applications. After researching how to assess your applications, you find that the most popular techniques (also offered by most security consultancies) are automated static analysis and black box penetration testing. Under time and budget constraints, which technique would you use first? This paper compares these two techniques by means of an exploratory controlled experiment, in which 9 participants analyzed the security of two open source blogging applications. Despite its relative small size, this study shows that static analysis finds more vulnerabilities and in a shorter time than penetration testing.

Predicting vulnerable classes in an Android application

Smart phones have been outselling PCs for several years. The Android operating system dominates the smart phone market, and the Android Market (now Google Play Store) recently passed the mark of 15 billions application downloads. Therefore, there is a large base of users that is attractive for hackers to target. In this paper, we will examine the questions of whether mobile applications developed for the Android platform are vulnerable or not, and how to predict which classes of an Android application are vulnerable. This paper approaches an answer to these questions by analyzing one very popular application of the Android Market and developing a vulnerability prediction model with high accuracy (over 80%) and precision (over 75%).

SAVI: Static-Analysis Vulnerability Indicator

Open source software presents new opportunities for software acquisition but introduces risks. The selection of open source applications should take into account both features and security risks. Risks include security vulnerabilities, of which published vulnerabilities are only the tip of the iceberg. Having an applications source code lets us look deeper at its security. SAVI (Static-Analysis Vulnerability Indicator) is a metric for assessing risks of using software built by external developers. It combines several types of static-analysis data to rank application vulnerability.

Idea: java vs. PHP: security implications of language choice for web applications

While Java and PHP are two of the most popular languages for open source web applications found at freshmeat.net, Java has had a much better security reputation than PHP. In this paper, we examine whether that reputation is deserved. We studied whether the variation in vulnerability density is greater between languages or between different applications written in a single language by comparing eleven open source web applications written in Java with fourteen such applications written in PHP. To compare the languages, we created a Common Vulnerability Metric (CVM), which is the count of four vulnerability types common to both languages. Common Vulnerability Density (CVD) is CVM normalized by code size. We measured CVD for two revisions of each project, one from 2006 and the other from 2008. CVD values were higher for the aggregate PHP code base than the Java code base, but PHP had a better rate of improvement, with a decline from 6.25 to 2.36 vulnerabilities/KLOC compared to 1.15 to 0.63 in Java. These changes arose from an increase in code size in both languages and a decrease in vulnerabilities in PHP. The variation between projects was greater than the variation between languages, ranging from 0.52 to 14.39 for Java and 0.03 to 121.36 in PHP for 2006. We used security and software metrics to examine the sources of difference between projects.

An informatics perspective on computational thinking

In this paper, we examine computational thinking and its connections to critical thinking from the perspective of in- formatics. We developed an introductory course for students in our College of Informatics, which includes majors rang- ing from journalism to computer science. The course cov- ered a set of principles of informatics, using both lectures and active learning sessions designed to develop informat- ics and computational thinking skills. The set of principles was drawn from a wide set of sources, and included broad principles like those of Denning and Loidl, as well as more limited principles related to topics like universal computa- tion and undecidability. We evaluated the change in both computational and critical thinking skills over the course of the semester, using a well-known validated critical thinking test and a computational thinking test of our own devising.

Secure software engineering teaching modules

We are designing a course in secure software engineering that will teach students how to incorporate security throughout the software development lifecycle. The class will serve as a capstone for a new graduate certificate in secure software engineering. This paper describes the class goals, the design for the class, and the materials that we will develop to teach secure software engineering. We are creating ten modules to cover the core topics in software security. Each module will cover one or more class goals and will consist of both explanatory materials and assignments to give students the opportunity to apply their learnings in a small context. The modules will be developed over the Summer and Fall of 2006, and the class will be first offered in Spring 2007. The class will also incorporate a team-based web development project that students will work on throughout the semester to gain experience applying security principles to a large-scale project.