Predicting unknown vulnerabilities using software metrics and maturity models'

Patrick Kamongi and Krishna Kavi
Software Vulnerabilities, Software Metrics, Maturity Models

We face an increasing reliance on software-based services, applications, platforms, and infrastructures to accomplish daily activities. It is possible to introduce vulnerabilities during any software life cycle and these vulnerabilities could lead to security attacks. It is known that as the software complexity increases, discovering a new security vulnerability introduced by subsequent updates and code changes becomes difficult. This can be seen from the rate of new vulnerabilities discovered after a software release. IT Products’ vulnerabilities sometimes remain undiscovered for many years. In this paper, we report our study of IT products’ source codes using software maturity models and the history of vulnerabilities discovered. We use this data to develop a model to predict the number of security vulnerabilities contained in a product, including undiscovered vulnerabilities. Our proposed approach can be used to explore proactive strategies for mitigating the risks due to zero-day vulnerabilities.

Publish Date: 
Monday, August 22, 2016
The 8th International conferences on software engineering advances (ICSEA-2016)
Paper URL: