An Approach to Cognitive Root Cause Analysis of Software Vulnerabilities
This program is tentative and subject to change.
Understanding the root causes of software vulnerabilities is crucial for designing and implementing preventative measures. Given that software development is inherently a human activity, developers’ cognitive errors stand out as a significant contributor to software vulnerabilities. While existing studies on vulnerability analysis focus on software faults associated with vulnerabilities or types of vulnerabilities, there exists a gap in understanding how software vulnerabilities stem from developers cognitive errors. This paper proposes a novel method, Cognitive Analysis for Software Vulnerabilities (CASV), aimed at identifying the cognitive mechanisms of how software vulnerabilities are introduced by software developers. CASV includes a set of cognitive patterns established in psychology and a modeling approach to bridge the gaps between patterns and software development contexts. Two empirical studies conducted to apply and assess the CASV method. The studies involved four analysts performing root cause analysis on 152 software vulnerabilities. The results indicate that CASV was able to explain the cognitive mechanisms behind 70% (106 out of the 152) software vulnerabilities. Furthermore, CASV significantly improves the reliability of vulnerability root cause analysis. It achieved an agreement level of 0.63 among four analysts within the range of Substantial Agreement, compared to 0.29 when using a root cause taxonomy. The implications of this study are far-reaching, particularly in terms of raising developers’ awareness and enhancing their cognitive skills to proactively prevent software vulnerabilities.
This program is tentative and subject to change.
Wed 4 DecDisplayed time zone: Athens change
11:00 - 12:30 | PROFES Session 8: Security, Compliance and Regulatory ComplianceResearch Papers / Short Papers and Posters at UT Library - Room 3 | ||
11:00 18mResearch paper | An Approach to Cognitive Root Cause Analysis of Software Vulnerabilities Research Papers Theo Hytopoulos Western Washington University, Marvin Chan Western Washington University, Keegan Roth Western Washington University, Rylon Wasson Western Washington University, Fuqun Huang Western Washington University | ||
11:18 18mResearch paper | Guidelines for Supporting Software Engineers in Developing Secure Web Applications Research Papers Klara Svensson Chalmers | University of Gothenburg, Drake Axelrod Chalmers | University of Gothenburg, Mazen Mohamad Chalmers | RISE - Research Institutes of Sweden, Rebekka Wohlrab Chalmers University of Technology | ||
11:36 12mShort-paper | Towards Generating Compliance Action Plans: A Discussion of Needs and Opportunities Short Papers and Posters Julio Guzman Reutlingen University, Heiko Doerr UL Method Park GmbH, Thomas Brenner OHB System AG, Rainer Gerlich Dr. Rainer Gerlich System and Software Engineering, Jürgen Münch Reutlingen University, Marco Kuhrmann Reutlingen University | ||
11:48 18mResearch paper | Regulatory Requirements Engineering in Large Enterprises: An Interview Study on the European Accessibility Act Research Papers Oleksandr Kosenkov fortiss GmbH, Michael Unterkalmsteiner Blekinge Institute of Technology, Daniel Mendez Blekinge Institute of Technology and fortiss, Jannik Fischbach Netlight GmbH / fortiss GmbH | ||
12:06 24mTalk | Session 8 Discussion Research Papers |