Towards the application of recommender systems to secure coding

IF 2.5 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS EURASIP Journal on Information Security Pub Date : 2019-06-13 DOI:10.1186/s13635-019-0092-4

Fitzroy D. Nembhard, Marco M. Carvalho, Thomas C. Eskridge

引用次数: 16

Abstract

Secure coding is crucial for the design of secure and efficient software and computing systems. However, many programmers avoid secure coding practices for a variety of reasons. Some of these reasons are lack of knowledge of secure coding standards, negligence, and poor performance of and usability issues with existing code analysis tools. Therefore, it is essential to create tools that address these issues and concerns. This article features the proposal, development, and evaluation of a recommender system that uses text mining techniques, coupled with IntelliSense technology, to recommend fixes for potential vulnerabilities in program code. The resulting system mines a large code base of over 1.6 million Java files using the MapReduce methodology, creating a knowledge base for a recommender system that provides fixes for taint-style vulnerabilities. Formative testing and a usability study determined that surveyed participants strongly believed that a recommender system would help programmers write more secure code.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

浅谈推荐系统在安全编码中的应用

安全编码对于设计安全高效的软件和计算系统至关重要。然而，许多程序员由于各种原因而避免安全编码实践。其中一些原因是缺乏安全编码标准的知识，疏忽，以及现有代码分析工具的性能差和可用性问题。因此，创建处理这些问题和关注点的工具是必要的。本文介绍了一个推荐系统的建议、开发和评估，该系统使用文本挖掘技术和智能感知技术，为程序代码中的潜在漏洞提供修复建议。由此产生的系统使用MapReduce方法挖掘了超过160万个Java文件的大型代码库，为推荐系统创建了知识库，该知识库提供了对污染类型漏洞的修复。形成性测试和可用性研究确定，被调查的参与者强烈相信推荐系统将帮助程序员编写更安全的代码。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

EURASIP Journal on Information Security COMPUTER SCIENCE, INFORMATION SYSTEMS-

CiteScore

8.80

自引率

0.00%

发文量

审稿时长

13 weeks

期刊介绍： The overall goal of the EURASIP Journal on Information Security, sponsored by the European Association for Signal Processing (EURASIP), is to bring together researchers and practitioners dealing with the general field of information security, with a particular emphasis on the use of signal processing tools in adversarial environments. As such, it addresses all works whereby security is achieved through a combination of techniques from cryptography, computer security, machine learning and multimedia signal processing. Application domains lie, for example, in secure storage, retrieval and tracking of multimedia data, secure outsourcing of computations, forgery detection of multimedia data, or secure use of biometrics. The journal also welcomes survey papers that give the reader a gentle introduction to one of the topics covered as well as papers that report large-scale experimental evaluations of existing techniques. Pure cryptographic papers are outside the scope of the journal. Topics relevant to the journal include, but are not limited to: • Multimedia security primitives (such digital watermarking, perceptual hashing, multimedia authentictaion) • Steganography and Steganalysis • Fingerprinting and traitor tracing • Joint signal processing and encryption, signal processing in the encrypted domain, applied cryptography • Biometrics (fusion, multimodal biometrics, protocols, security issues) • Digital forensics • Multimedia signal processing approaches tailored towards adversarial environments • Machine learning in adversarial environments • Digital Rights Management • Network security (such as physical layer security, intrusion detection) • Hardware security, Physical Unclonable Functions • Privacy-Enhancing Technologies for multimedia data • Private data analysis, security in outsourced computations, cloud privacy