Share This Author
Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities
- Yonghee Shin, Andrew Meneely, L. Williams, J. Osborne
- Computer ScienceIEEE Transactions on Software Engineering
- 1 November 2011
This work investigated whether software metrics obtained from source code and development history are discriminative and predictive of vulnerable code locations, and predicted over 80 percent of the known vulnerable files with less than 25 percent false positives for both projects.
Predicting failures with developer networks and social network analysis
A case study involving a mature Nortel networking product of over three million lines of code shows that a significant correlation exists between file-based developer network metrics and failures, and examines this collaboration structure with the developer network derived from code churn information that can predict failures at the file level.
Secure open source collaboration: an empirical study of linus' law
This study examines the security of an open source project in the context of developer collaboration by analyzing version control logs and quantifying notions of Linus' Law as well as the "too many cooks in the kitchen" viewpoint into developer activity metrics.
Socio-technical developer networks: should we trust our measurements?
- Andrew Meneely, L. Williams
- Computer Science, Business33rd International Conference on Software…
- 21 May 2011
The results substantiate that SNA metrics represent socio-technical relationships in open source development projects, while also clarifying how the developer network can be interpreted by researchers and practitioners.
Validating software metrics: A spectrum of philosophies
The objective of this article is to guide researchers in making sound contributions to the field of software engineering metrics by providing a practical summary of the metrics validation criteria found in the academic literature.
Strengthening the empirical analysis of the relationship between Linus' Law and software security
This paper quantified Linus' Law and "too many cooks in the kitchen" with developer activity metrics and found a statistical association between these metrics and security vulnerabilities in the Linux kernel, and performed analysis on two additional projects: the PHP programming language and the Wireshark network protocol analyzer.
Protection Poker: The New Software Security "Game";
The Protection Poker "game" is a collaborative means for guiding this prioritization of security fortification efforts and has the potential to improve software security practices and team software security knowledge.
When a Patch Goes Bad: Exploring the Properties of Vulnerability-Contributing Commits
- Andrew Meneely, H. Srinivasan, Ayemi Musa, Alberto Rodriguez Tejeda, Matthew Mokary, B. Spates
- Computer ScienceACM / IEEE International Symposium on Empirical…
- 12 December 2013
This study traced 68 vulnerabilities in the Apache HTTP server back to the version control commits that contributed the vulnerable code originally, and showed that VCCs are large: more than twice as much code churn on average than non-VCCs, even when normalized against lines of code.
An empirical investigation of socio-technical code review metrics and security vulnerabilities
- Andrew Meneely, Alberto Rodriguez Tejeda, Kayla Davis
- Computer ScienceSSE@SIGSOFT FSE
- 17 November 2014
This study analyzed 159,254 code reviews, 185,948 Git commits, and 667 post-release vulnerabilities in the Chromium browser project to explore the connection between collaborative reviews and vulnerabilities that were missed by the review process.
The impact of cross-platform development approaches for mobile applications from the user's perspective
It is found that hybrid apps (on both Android and iOS platforms) tend to be more prone to user complaints than interpreted/generated apps and change in the development approach was accompanied by a reduction in user complaints about performance and reliability.