Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna.

Published byBrandon Hall Modified over 8 years ago

Similar presentations

Presentation on theme: "Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna."— Presentation transcript:

1 Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna

2 1. Research Objective 2. Evolution of Web App Security 3. Security Resource Indicator 4. Vulnerability Type Analysis 5. Code Metrics 6. Analysis Limitations 7. Conclusion 10/12/2009 University of Kentucky2

3 Goal: Identify predictors for vulnerability density (VD) and change in VD for open source web applications. Research questions: 1.Can software security practices predict evolution of VD over time? 2.Can code size or complexity predict VD? 3.Can code change metrics predict VD? 10/12/2009 University of Kentucky3

4 Static Analysis ◦ Nagappan and Ball, ICSE 2005a ◦ Coverity Open Source Report 2009 ◦ Fortify Open Source Security Study 2008 Complexity and Change Metrics ◦ Nagappan and Ball, ICSE 2005b ◦ Nagappan, Ball, and Zeller, ICSE 2006 ◦ Shin and Williams, QoP 2008 10/12/2009 University of Kentucky4

5 Reported Vulnerabilities in NVD or OSVDNVD OSVD ◦ Coarse-grained time evolution. ◦ Difficult to correlate with revision. ◦ Undercounts actual vulnerabilities. Dynamic Analysis ◦ Expensive. ◦ False positives and negatives. ◦ Requires installation of application. Static Analysis ◦ Expensive. ◦ False positives and negatives. ◦ Static Analysis Vulnerability Density = vulns/kloc. 10/12/2009 University of Kentucky5

6 Selection process ◦ PHP web applications from freshmeat.net. ◦ Subversion repository with 100 weeks of revisions. Revisions ◦ One revision selected per week for analysis. Range of projects ◦ 14 projects met selection criteria. ◦ 5,800 to 388,000 lines of code (2008). ◦ Removing highest & lowest, SLOC range of 25-150 kloc. 10/12/2009 University of Kentucky6

7 Overall security improvement. ◦ first week average: 8.88 vulns/kloc ◦ final week average: 3.30 vulns/kloc Average SAVD high vs. Coverity’s 0.30 SAVD. ◦ Language differences: C/C++ vs. PHP. ◦ Vulnerability differences  buffer overflows vs XSS/SQL. No correlation with NVD vulnerabilities. ◦ NVD correlated with freshmeat popularity. 10/12/2009 University of Kentucky7

8 10/12/2009 University of Kentucky8

9 10/12/2009 University of Kentucky9

10 10/12/2009 University of Kentucky10

11 Public security resources on project site ◦ URL for installation or configuration security ◦ Dedicated address to report security bugs ◦ Database of known security vulnerabilities ◦ Documentation of secure development practices Results ◦ Correlation of  = 0.67 (p < 0.05) with  SAVD 10/12/2009 University of Kentucky11

12 10/12/2009 University of Kentucky12

13 20062008 10/12/2009 University of Kentucky13

14 10/12/2009 University of Kentucky14

15 10/12/2009 University of Kentucky15

16 10/12/2009 University of Kentucky16

17 Size measure ◦ Source Lines of Code (SLOC) Complexity measures ◦ Cyclomatic Complexity ◦ Nesting Complexity ◦ Maximum, average, total Change measures ◦ Churn = lines added + changed ◦ Lines deleted 10/12/2009 University of Kentucky17 1 2 1. do loop 2. stmt 3. end loop 3 CC = E – N + 2 P = 3 – 3 + 2*1

18 10/12/2009 University of Kentucky18

19 10/12/2009 University of Kentucky19

20 May not apply to apps that didn’t meet criteria ◦ Non-PHP applications ◦ No SVN repository with two years of history False positives ◦ 18.1% rate from two sample applications ◦ Coverity found a rate under 14% for their study SAVD will differ between static analysis tools 10/12/2009 University of Kentucky20

21 OS PHP web app security improved: ◦ 8.88 to 3.30 SAVD from 2008 to 2006. ◦ But 8 of 14 apps increased SAVD over period. SRI can indicate which apps will improve. No single code metric is predictive for SAVD. ◦ Complexity is an indicator for SAVD. ◦ Churn is not an indicator for SAVD. 10/12/2009 University of Kentucky21

22 Why does app security vary so much? ◦ Analyze security processes for each app. How do we validate SAVD measurement? ◦ NVD count correlates with popularity. Java web applications ◦ How does Java SAVD compare with PHP SAVD? ◦ How do trends compare between Java and PHP? ◦ More software metrics available for Java. 10/12/2009 University of Kentucky22

23 10/12/2009 University of Kentucky23

24 10/12/2009 University of Kentucky24

25 10/12/2009 University of Kentucky25

26 10/12/2009 University of Kentucky26

27 10/12/2009 University of Kentucky27

Download ppt "Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna."

Similar presentations

Basic Spreadsheet Functions Objective 4.01. Functions are predefined formulas that perform calculations by using specific values, called arguments, in.

Basic Spreadsheet Functions Objective Functions are predefined formulas that perform calculations by using specific values, called arguments, in.
Software Configuration Management: Under the Hood of Two Leading Tools Presented by: Andrew Wheeler & Shane Marcus.

Software Configuration Management: Under the Hood of Two Leading Tools Presented by: Andrew Wheeler & Shane Marcus.
A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.

A Metric for Evaluating Static Analysis Tools Katrina Tsipenyuk, Fortify Software Brian Chess, Fortify Software.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina.

MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina.
1 Predicting Bugs From History Software Evolution Chapter 4: Predicting Bugs from History T. Zimmermann, N. Nagappan, A Zeller.

1 Predicting Bugs From History Software Evolution Chapter 4: Predicting Bugs from History T. Zimmermann, N. Nagappan, A Zeller.
Figures – Chapter 24.

Figures – Chapter 24.
What causes bugs? Joshua Sunshine. Bug taxonomy Bug components: – Fault/Defect – Error – Failure Bug categories – Post/pre release – Process stage – Hazard.

What causes bugs? Joshua Sunshine. Bug taxonomy Bug components: – Fault/Defect – Error – Failure Bug categories – Post/pre release – Process stage – Hazard.
Week 1 intro to PM Project Management Introduction to Project Management and the Software Development Lifecycle Week 1 Winter quarter 1/7/02 SOS.

Week 1 intro to PM Project Management Introduction to Project Management and the Software Development Lifecycle Week 1 Winter quarter 1/7/02 SOS.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
1 Instability Visualization and Analysis Jim Whitehead Jennifer Bevan University of California, Santa Cruz

1 Instability Visualization and Analysis Jim Whitehead Jennifer Bevan University of California, Santa Cruz
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Advanced Topics in Software Engineering ATSE 2009 Topics, participants and results Gordana Rakic, Zoran Budimac.

Advanced Topics in Software Engineering ATSE 2009 Topics, participants and results Gordana Rakic, Zoran Budimac.
3. Software product quality metrics The quality of a product: -the “totality of characteristics that bear on its ability to satisfy stated or implied needs”.

3. Software product quality metrics The quality of a product: -the “totality of characteristics that bear on its ability to satisfy stated or implied needs”.
Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?

Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?
DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.

DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.
TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.

TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

“Good Enough” Metrics Jeremy Epstein Senior Director, Product Security webMethods, Inc.

Similar presentations

Ads by Google