Automated Security Assessment
Software security is a major concern of the developers who intend to deliver a reliable software. My research includes ensuring software security in the development phase of a software. For ensuring security during development phase, we need to measure the security level of code using some metrics. The efficiency and effectiveness of these metrics makes the code secured and free from security bugs. Although there is research that focuses on vulnerability (security bugs) prediction and discovery using some existing metrics, there is still a need for building security specific metrics to measure software security and vulnerability-proneness quantitatively. The existing methods are either based on software metrics which are not security specific yet or some generic patterns known as traceable patterns which were developed for attributing software components at file or function level. Other methods predict vulnerabilities using text mining approaches or graph algorithms which perform poorly in cross-project validation and fail to be a generalized prediction models for any system.
Goal: The goal of my research will be to construct an automated framework that will assist developers to assess the security level of their code and guide them towards developing secure code.
- Study the challenges of the current software metrics and traceable patterns in vulnerability prediction.
- Redefine and characterize the patterns and software metrics so that they can capture security specific properties of code and measure the security level quantitatively.
- Implement a framework for the developers to automatically extract the values of all the patterns and metrics for the given code segment and then flag the estimated security level as a feedback in order to guide the developers to develop secured code.