Keyword Extraction From Specification Documents for Planning Security Mechanisms
Software development companies heavily invest both time and money to provide post-production support to fix security vulnerabilities in their products. Current techniques identify vulnerabilities from source code using static and dynamic analyses. However, this does not help integrate security mechanisms early in the architectural design phase. We develop VDocScan, a technique for predicting vulnerabilities based on specification documents, even before the development stage. We evaluate VDocScan using an extensive dataset of CVE vulnerability reports mapped to over 3600 product documentations. An evaluation of 8 CWE vulnerability pillars shows that even interpretable whitebox classifiers predict vulnerabilities with up to 61.1% precision and 78% recall. Further using strategies to improve the relevance of extracted keywords, addressing class imbalance, segregating products into categories such as Operating Systems, Web applications, and Hardware, and using blackbox ensemble models such as the random forest classifier improves the performance to 96% precision and 91.1% recall. The high precision and recall shows that VDocScan can anticipate vulnerabilities detected in a product’s lifetime ahead of time during the Design phase to incorporate necessary security mechanisms. The performance is consistently high for vulnerabilities with the mode of introduction: architecture and design.
Thu 18 MayDisplayed time zone: Hobart change
13:45 - 15:15 | SE for security 2Technical Track / Journal-First Papers at Meeting Room 106 Chair(s): Cristian Cadar Imperial College London, UK | ||
13:45 15mTalk | SLR: From Saltzer & Schoeder to 2021… Journal-First Papers Nikhil Patnaik University of Bristol, Andrew C Dwyer University of Durham, Joseph Hallett , Awais Rashid University of Bristol, UK | ||
14:00 15mTalk | On-Demand Security Requirements Synthesis with Relational Generative Adversarial Networks (RelGAN) Technical Track Viktoria Koscinski Rochester Institute of Technology, Sara Hashemi Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology | ||
14:15 15mTalk | Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon Technical Track Ita Ryan University College Cork, Utz Roedig University College Cork, Klaas-Jan Stol Lero; University College Cork; SINTEF Digital Pre-print | ||
14:30 15mTalk | What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts? Technical Track Setu Kumar Basak North Carolina State University, Lorenzo Neil North Carolina State University, Bradley Reaves North Carolina State University, Laurie Williams North Carolina State University Pre-print | ||
14:45 15mTalk | Lejacon: A Lightweight and Efficient Approach to Java Confidential Computing on SGX Technical Track Xinyuan Miao Shanghai Jiao Tong University, Ziyi Lin Alibaba Group, Shaojun Wang Alibaba Group, Lei Yu Alibaba Group, Sanhong Li Alibaba Inc., Zihan Wang Shanghai Jiao Tong University, Pengbo Nie Shanghai Jiao Tong University, Yuting Chen Shanghai Jiao Tong University, Beijun Shen Shanghai Jiao Tong University, He Jiang Dalian University of Technology Pre-print | ||
15:00 15mTalk | Keyword Extraction From Specification Documents for Planning Security Mechanisms Technical Track Jeffy Jahfar Poozhithara Apple Inc. and University of Washington Bothell, Hazeline Asuncion University of Washington Bothell, Brent Lagesse University of Washington Bothell Pre-print | ||