Improving Vulnerability Inspection Efficiency Using Active Learning

Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool builds a vulnerability prediction model from the source inspected to date, then suggests what files should be next. In this way, reduce time and required achieve some desired level of recall for finding The also provides feedback on when stop (at recall) while at same time, correcting human errors by double-checking suspicious files. This paper evaluates Mozilla Firefox data. found 80, 90, 95, 99 percent inspecting 10, 16, 20, 34 When targeting recall, could after 23, 30, 47 Even reviewers fail identify half (50 false negative rate), detect 96 missing Our results serve highlight very steep cost protecting software (in our case study is, example, 28,750 × 20% = 5,750 95 vulnerabilities). While result benefit mission-critical projects where resources available thousands files, research challenge future work how further cost. conclusion discusses various ways goal achieved.