Profiling developers to predict vulnerable code changes

Tugce Coskun, Rusen Halepmollasi, Khadija Hanifi, Ramin Fadaei Fouladi, Pinar Comak De Cnudde, Ayse Tosun

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Citation (Scopus)

Abstract

Software vulnerability prediction and management have caught the interest of researchers and practitioners, recently. Various techniques that are usually based on characteristics of the code artefacts are also offered to predict software vulnerabilities. While other studies achieve promising results, the role of developers in inducing vulnerabilities has not been studied yet. We aim to profile the vulnerability inducing and vulnerability fixing behaviors of developers in software projects using Heterogeneous Information Network (HIN) analysis. We also investigate the impact of developer profiles in predicting vulnerability inducing commits, and compare the findings against the approach based on the code metrics. We adopt Random Walk with Restart (RWR) algorithm on HIN and the aggregation of code metrics for extracting all the input features. We utilize traditional machine learning algorithms namely, Naive Bayes (NB), Support Vector Machine (SVM), Random Forest (RF) and eXtreme Gradient Boosting (XGBoost) to build the prediction models.We report our empirical analysis to predict vulnerability inducing commits of four Apache projects. The technique based on code metrics achieves 90% success for the recall measure, whereas the technique based on profiling developer behavior achieves 71% success. When we use the feature sets obtained with the two techniques together, we achieve 89% success.

Original languageEnglish
Title of host publicationPROMISE 2022 - Proceedings of the 18th International Conference on Predictive Models and Data Analytics in Software Engineering, co-located with ESEC/FSE 2022
EditorsShane McIntosh, Weiyi Shang, Gema Rodriguez Perez
PublisherAssociation for Computing Machinery, Inc
Pages32-41
Number of pages10
ISBN (Electronic)9781450398602
DOIs
Publication statusPublished - 2 Nov 2022
Event18th ACM International Conference on Predictive Models and Data Analytics in Software Engineering, PROMISE 2022, co-located with the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022 - Singapore, Singapore
Duration: 17 Nov 2022 → …

Publication series

NamePROMISE 2022 - Proceedings of the 18th International Conference on Predictive Models and Data Analytics in Software Engineering, co-located with ESEC/FSE 2022

Conference

Conference18th ACM International Conference on Predictive Models and Data Analytics in Software Engineering, PROMISE 2022, co-located with the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022
Country/TerritorySingapore
CitySingapore
Period17/11/22 → …

Bibliographical note

Publisher Copyright:
© 2022 Owner/Author.

Funding

This work was funded by The Scientific and Technological Research Council of Turkey, under 1515 Frontier RD Laboratories Support Program with project no: 5169902.

FundersFunder number
Türkiye Bilimsel ve Teknolojik Araştırma Kurumu5169902

    Keywords

    • profiling developers
    • technical debt
    • vulnerability
    • vulnerability prediction

    Fingerprint

    Dive into the research topics of 'Profiling developers to predict vulnerable code changes'. Together they form a unique fingerprint.

    Cite this