posted on 2012-11-30, 16:49authored byShadi Ghaith, Mel Ó Cinnéide
Security metrics have been proposed to assess the security of
software applications based on the principles of “reduce attack surface”
and “grant least privilege.” While these metrics can help inform the
developer in choosing designs that provide better security, they cannot
on their own show exactly how to make an application more secure. Even
if they could, the onerous task of updating the software to improve its
security is left to the developer. In this paper we present an approach
to automated improvement of software security based on search-based
refactoring. We use the search-based refactoring platform, Code-Imp, to
refactor the code in a fully-automated fashion. The fitness function used
to guide the search is based on a number of software security metrics.
The purpose is to improve the security of the software immediately prior
to its release and deployment. To test the value of this approach we
apply it to an industrial banking application that has a strong security
dimension, namely Wife. The results show an average improvement of
27.5% in the metrics examined. A more detailed analysis reveals that
15.5% of metric improvement results in real improvement in program
security, while the remaining 12% of metric improvement is attributable
to hitherto undocumented weaknesses in the security metrics themselves.
History
Publication
4th International Symposium on Search-Based Software Engineering (SSBSE'12) Lecture Notes on Computer Science;7515, pp. 121-135
Publisher
Springer
Note
peer-reviewed
Other Funding information
SFI
Rights
The original publication is available at www.springerlink.com