CSC News
Williams Receives NSF Award to Study Security Vulnerabilities
Dr. Laurie Williams has been awarded $193,563 by the National Science Foundation to fund her research proposal titled “CT-ER: On the Use of Security Metrics to Identify and Rank the Risk of Vulnerability- and Exploit-Prone Components.”
The award will run from August 1, 2007 through July 31, 2009.
Research Abstract - The alerts produced by automated static analysis (ASA) tools and other static metrics have been shown to be an effective estimator of the actual reliability in a software system. Predictions of defect density and high risk components can be identified using static analyzers early in the development phase. Our research hypothesis is the actual number of security vulnerabilities in a software system can be predicted based upon the number of security-related alerts reported by one or more static analyzers and other static metrics. We propose to build, evolve, and validate a statistical prediction model whereby security-related ASA alerts from one or more tools and other software metrics are used to predict the actual overall security of a system. Our research involves collecting and analyzing a significant amount of data on software programs including security-related ASA alerts and actual security vulnerabilities and exploits, based upon inspections, testing failures, field failures, and reported exploits
The award will run from August 1, 2007 through July 31, 2009.
Research Abstract - The alerts produced by automated static analysis (ASA) tools and other static metrics have been shown to be an effective estimator of the actual reliability in a software system. Predictions of defect density and high risk components can be identified using static analyzers early in the development phase. Our research hypothesis is the actual number of security vulnerabilities in a software system can be predicted based upon the number of security-related alerts reported by one or more static analyzers and other static metrics. We propose to build, evolve, and validate a statistical prediction model whereby security-related ASA alerts from one or more tools and other software metrics are used to predict the actual overall security of a system. Our research involves collecting and analyzing a significant amount of data on software programs including security-related ASA alerts and actual security vulnerabilities and exploits, based upon inspections, testing failures, field failures, and reported exploits
Return To News Homepage