Evaluating Software Metrics as Predictors of Software Vulnerabilities

Web application security is an important problem in today’s Internet. A major cause of this is that many developers are not equipped with the right skills to develop secure code. Because of limited time and resources, web engineers need help in recognizing vulnerable components. A useful approach to predict vulnerable code would allow them to prioritize security-auditing efforts. In this work, we compare the performance of different classification techniques in predicting vulnerable PHP files and propose an application of these classification rules. We performed empirical case studies on three large open source web-projects. Software metrics are investigated whether they are discriminative and predictive of vulnerable code, and can guide actions for improvement of code and development team and can prioritize validation and verification efforts. The results indicate that the metrics are discriminative and predictive of vulnerabilities.