SpringerLink
Log in

A study examining relationships between micro patterns and security vulnerabilities

  • Published:
Software Quality Journal Aims and scope Submit manuscript

Abstract

Software security is an integral part of software quality and reliability. Software vulnerabilities make the software susceptible to attacks which violates software security. Metric-based software vulnerability prediction is one way to evaluate vulnerabilities beforehand so that developers can take preventative measures against attacks. In this study, we explore the correlation between software vulnerabilities and code-level constructs called micro patterns. These code patterns characterize class-level object-oriented program features. Existing research addressed micro pattern correlation with software defects. We analyzed the correlation between vulnerabilities and micro patterns from different viewpoints and explored whether they are related. We studied the distribution of micro patterns and their associations with vulnerable classes in 42 versions of the Apache Tomcat and three Java web applications. This study shows that certain micro patterns are frequently present in vulnerable classes. We also show that there is a high correlation between certain patterns that coexist in a vulnerable class.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Germany)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Notes

  1. https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

  2. http://ant.apache.org/security.html

  3. https://technet.microsoft.com/en-us/library/security/4010323.aspx

  4. https://www.owasp.org/index.php/Testing_Guide_Introduction

  5. https://msdn.microsoft.com/en-us/library/cc751383.aspx

  6. https://cve.mitre.org/about/terminology.html

  7. https://www.owasp.org/index.php/Top_10_2013-Top_10

  8. https://tomcat.apache.org

  9. https://tomcat.apache.org/security.html

  10. http://archive.apache.org/dist/tomcat/

  11. http://suif.stanford.edu/livshits/securibench/

  12. http://www.cs.technion.ac.il/imaman/mp/download.html

  13. http://www-01.ibm.com/software/analytics/spss/products/statistics/index.html

  14. https://tomcat.apache.org/security-7.html

  15. http://svn.apache.org/viewvc?view=revision&revision=1578341

  16. http://www.statisticshowto.com/welchs-test-for-unequal-variances/

  17. https://tomcat.apache.org/security-7.html

  18. https://www.owasp.org/index.php/Top_10_2013-Top_10

  19. http://suif.stanford.edu/livshits/securibench/

  20. https://marketplace.eclipse.org/content/early-security-vulnerability-detector-esvd/

  21. http://docplayer.net/1619013-Early-vulnerability-detection-for-supporting-secure-programming.html

  22. http://archive.soma-research.org/a/sqj-ks-2017-data.rar

References

  • Alshammari, B., Fidge, C., Corney, D. (2009). Security metrics for object-oriented class designs. In Proceedings of the 2009, 9th International Conference on Quality Software, p.11-20, August 24-25.

  • Batarseh, F. (2010). Java nano patterns: a set of reusable objects. In Proceedings of the 48th Annual Southeast Regional Conference, New York, NY, USA.

  • Bau, J., Bursztein, E., Gupta, D., Mitchell, J. (2010). State of the art: automated Black-Box web application vulnerability testing. In 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA (pp. 332–345).

  • Bunke, M. (2015). Software-security patterns: degree of maturity. In Proceedings of the 20th European Conference on Pattern Languages of Programs, Kaufbeuren, Germany (pp. 08–12).

  • Camilo, F., Meneely, A., Nagappan, M. (2015). Do bugs foreshadow vulnerabilities? A study of the Chromium Project. In 12th Working Conference on Mining Software Repositories.

  • Chowdhury, I., Chan, B., Zulkernine, M. (2008). Security metrics for source code structures. In Proceedings of the fourth international workshop on Software engineering for secure systems, pp.57-64, Leipzig, Germany, May (pp. 17–18).

  • Chowdhury, I., & Zulkernine, M. (2010). Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?. In Proceedings of the 2010 ACM Symposium on Applied Computing, Sierre, Switzerland (pp. 22–26).

  • Chowdhury, I., & Zulkernine, M. (2011). Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture, 57(3), 294–313.

    Article  Google Scholar 

  • Cramer, H. (1946). Mathematical methods of statistics, (p. 282). Princeton: Princeton University Press.

    MATH  Google Scholar 

  • Deo, A., & Williams, B.J. (2015). Preliminary study on assessing software defects using nano-pattern detection. In Proceedings of the 24th International Conference on Software Engineering and Data Engineering (SEDE), San Diego, CA (pp. 12–14).

  • Destefanis, G. (2012). Assessing software quality by micro patterns detection. PhD Thesis: University of Cagliari.

    Google Scholar 

  • Destefanis, G., Tonelli, R., Tempero, E., Concas, G., Marchesi, M. (2012). Micro pattern fault-proneness. In Proceedings of the 38th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA) (pp. 302–306).

  • Ekström, J. (2011). The phi-coefficient, the tetrachoric correlation coefficient, and the Pearson-Yule debate, Department of Statistics, UCLA. Retrieved from https://escholarship.org/uc/item/7qp4604r.pdf.

  • Fontana, F.A., Walter, B., Zanoni, M. (2013). Code smells and micro patterns correlations, RefTest 2013 Workshop, co-located event with XP 2013 Conference.

  • Gil, J., & Maman, I. (2005). Micro patterns in Java code. In Proceedings of the 20th annual ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications, San Diego, CA, USA (pp. 16–20).

  • Gopalakrishna, R., Spaord, E., Vitek, J. (2005). Vulnerability likelihood: a probabilistic approach to software assurance. In CERIAS Tech Report (pp. 2005–06).

  • Graff, M.G., & Wyk, K.R. (2003). Secure coding: principles and practices, Chapter 4: implementation, pp. 99–123. O’Reilly.

  • Halkidis, S.T., Chatzigeorgiou, A., Stephanides, G. (2006). A qualitative analysis of software security patterns. Computers and Security, 25(5), 379–392.

    Article  MATH  Google Scholar 

  • Howard, M., & LeBlanc, D. (2002). Writing secure code, 2nd Edn. USA: Microsoft Press.

    Google Scholar 

  • Kim, S., Pan, K., E. Whitehead Jr. (2006). Micro pattern evolution. In Proceedings of the International Workshop on Mining Software Repositories (pp. 40–46).

  • Livshits, V.B. (2004). Findings security errors in Java applications using lightweight static analysis, Work-in-Progress Report. In Annual Computer Security Applications Conference.

  • Livshits, V.B., & Lam, M.S. (2005). Finding security errors in Java programs with static analysis. In Proceedings of the 14th Usenix Security Symposium, pp. 271–286.

  • Maggioni, S., & Arcelli, F. (2010). Metrics-based detection of micro patterns, Proceedings of the. In 2010 ICSE Workshop on Emerging Trends in Software Metrics, p.39-46, Cape Town, South Africa, May 04-04.

  • Moshtari, S., Sami, A., Azimi, M. (2013). Using complexity metrics to improve software security. Computer Fraud & Security, 5, 8–17.

    Article  Google Scholar 

  • Nagappan, N., & Ball, T. (2005). Use of relative code churn measures to predict system defect density. In Proceedings of the 27th international conference on Software engineering, St. Louis, MO, USA (pp. 15–21).

  • Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A. (2007). Predicting vulnerable software components. In Proceedings of CCS’07, pp. 529-540.

  • Nguyen, V.H., & Tran, L.M.S. (2010). Predicting vulnerable software components with dependency graphs. In International Workshop on Security Measurements and Metrics (MetriSec).

  • Oaks, S. (2001). Java Security, 2nd ed. Boston: Addison-Wesley.

    Google Scholar 

  • Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W. (2014). Predicting vulnerable software components via text mining. IEEE Trans Softw Eng, 40(10), 993–1006.

    Article  Google Scholar 

  • Schumacher, M., & Roedig, U. (2001). Security engineering with patterns. In 8th Conference on Pattern Languages of Programs.

  • Seacord, R.C. (2006). Secure Coding in C and C++. Boston: Addison Wesley.

    Google Scholar 

  • Sheskin, D.J. (2007). Handbook of Parametric and Nonparametric Statistical Procedures, 4th ed. Boca Raton: Chapman & Hall/CRC.

    MATH  Google Scholar 

  • Shin, Y. (2008). Exploring complexity metrics as indicators of software vulnerability. In Proceedings of the third international doctoral symposium on Empirical Software Engineering, Kaiserslautem, Germany.

  • Shin, Y., Meneely, A., Williams, L., Osborne, J. (2011). Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Transactions on Software Engineering, 37(6), 772–787.

    Article  Google Scholar 

  • Shin, Y., & Williams, L. (2008). An empirical model to predict security vulnerabilities using code complexity metrics. In Proceedings of the International Symp. Empirical Software Eng. and Measurement (pp. 315–317).

  • Shin, Y., & Williams, L. (2008). Is complexity really the enemy of software security?. In Proceedings of the 4th ACM Workshop on Quality of protection, Alexandria, Virginia, USA (pp. 27–27).

  • Shin, Y., & Williams, L. (2013). Can traditional fault prediction models be used for vulnerability prediction? Empirical Software Engineering, 18(1), 25–59.

    Article  Google Scholar 

  • Singer, J., Brown, G., Luján, M., Pocock, A., Yiapanis, P. (2010). Fundamental nano-patterns to characterize and classify java methods. Journal Electronic Notes in Theoretical Computer Science (ENTCS) Archive, 253(7), 191–204.

    Article  Google Scholar 

  • Singer, J., & Kirkham, C. (2008). Exploiting the correspondence between micro patterns and class names. In Proceedings of the 8th IEEE International Working Conference on Source Code Analysis and Manipulation (pp. 67–76).

  • Smith, B., & Williams, L. (2012). On the effective use of security test patterns. In Proceedings of the 2012 IEEE 6th International Conference on Software Security and Reliability, pp. 108-117, June 20-22.

  • Sultana, K.Z., Deo, A., Williams, B.J. (2016). A preliminary study examining relationships between nano-patterns and software security vulnerabilities. In Proceedings of the 40th IEEE Computer Society International Conference on Computers, Software and Applications, Atlanta, Georgia, USA (pp. 10–14).

  • Sultana, K.Z., Deo, A., Williams, B.J. (2017). Correlation analysis among Java nano-patterns and software vulnerabilities. In Proceedings of the 18th IEEE International Symposium on High Assurance Systems Engineering, Singapore (pp. 12–14).

  • Walden, J., Stuckman, J., Scandariato, R. (2014). Predicting vulnerable components: software metrics vs text mining. In 2014 IEEE 25th International Symposium on Software Reliability Engineering (ISSRE). IEEE (pp. 23–33).

  • Wheeler, D.A. (1999). Secure programming for Linux and Unix HOWTO. http://www.dwheeler.com/secure-programs/.

  • Wysopal, C., Nelson, L., Zovi, D.D., Dustin, E. (2006). The art of software security Testing. Boston: Addison-Wesley.

    Google Scholar 

  • Yoder, J., & Barcalow, J. (1997). Architectural patterns for enabling application security. PLoP.

  • Yoshioka, N., Washizaki, H., Maruyama, K. (2008). A survey on security patterns. In Progress in Informatics, Special issue: The future of software engineering for security and privacy, vol. 5, pp. 35–47.

  • Zimmermann, T., Nagappan, N., Williams, L. (2010). Searching for a needle in a haystack: predicting security vulnerabilities for windows vista. In Proceedings of the 2010 Third International Conference on Software Testing, Verification and Validation (ICST ’10), pp. 421-428, IEEE Computer Society, Washington, DC, USA.

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Mississippi State University, Starkville, MS, USA

    Kazi Zakia Sultana, Byron J. Williams & Tanmay Bhowmik

Authors
  1. Kazi Zakia Sultana
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Byron J. Williams
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tanmay Bhowmik
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kazi Zakia Sultana.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sultana, K.Z., Williams, B.J. & Bhowmik, T. A study examining relationships between micro patterns and security vulnerabilities. Software Qual J 27, 5–41 (2019). https://doi.org/10.1007/s11219-017-9397-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11219-017-9397-z

Keywords

Search

Navigation