ABSTRACT
As open-source projects are becoming ever more present throughout the modern computing stack, it is crucial to be able to quickly spot problematic, poorly maintained, or otherwise "risky" projects. The OSSF Scorecard has been introduced to address this need for fast security risk assessment by mining software repository metadata. We can reasonably expect a project with a CI system, code-reviews, and lots of users to be less risky than a project without those qualities. Since measuring security risk directly is difficult, we test a proxy hypothesis that these factors should also correlate with a reduction of bugs in software and test our hypothesis by scanning thousands of popular C & C++ projects with static analysis tools.
- Istehad Chowdhury and Mohammad Zulkernine. 2011. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture, Vol. 57, 3 (2011), 294--313.Google ScholarDigital Library
- Intel. [n.,d.]. Scaling Repo Scanner (SRS). https://github.com/intel/srs.Google Scholar
- LLVM.org. [n.,d.]. clang-tidy cognitive complexity. https://clang.llvm.org/extra/clang-tidy/checks/readability/function-cognitive-complexity.html.Google Scholar
- Nuthan Munaiah, Felivel Camilo, Wesley Wigham, Andrew Meneely, and Meiyappan Nagappan. 2017. Do bugs foreshadow vulnerabilities? An in-depth study of the chromium project. Empirical Software Engineering , Vol. 22 (2017), 1305--1347.Google ScholarDigital Library
- Yonghee Shin and Laurie Williams. 2008. Is complexity really the enemy of software security?. In Proceedings of the 4th ACM workshop on Quality of protection. 47--50.Google ScholarDigital Library
Index Terms
- Estimating Security Risk Through Repository Mining
Recommendations
A framework for estimating information security risk assessment method completeness
In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among ...
Rethinking risk-based information security
InfoSecCD '07: Proceedings of the 4th annual conference on Information security curriculum developmentRisk assessment in the insurance and financial industries use processes and empirical data created specifically for their needs. The risk assessment processes used by IT and information security (InfoSec) risk management do not work as well. The ...
Comments