Skip to main content
SpringerLink
Log in

A Data-Mining Based Study of Security Vulnerability Types and Their Mitigation in Different Languages

  • Conference paper
  • First Online:
Computational Science and Its Applications – ICCSA 2020 (ICCSA 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12252))

Included in the following conference series:

Abstract

The number of people accessing online services is increasing day by day, and with new users, comes a greater need for effective and responsive cyber-security. Our goal in this study was to find out if there are common patterns within the most widely used programming languages in terms of security issues and fixes. In this paper, we showcase some statistics based on the data we extracted for these languages. Analyzing the more popular ones, we found that the same security issues might appear differently in different languages, and as such the provided solutions may vary just as much.

We also found that projects with similar sizes can produce extremely different results, and have different common weaknesses, even if they provide a solution to the same task. These statistics may not be entirely indicative of the projects’ standards when it comes to security, but they provide a good reference point of what one should expect. Given a larger sample size they could be made even more precise, and as such a better understanding of the security relevant activities within the projects written in given languages could be achieved.

The presented work was carried out within the SETIT Project (2018-1.2.1-NKP-2018-00004). Project no. 2018-1.2.1-NKP-2018-00004 has been implemented with the support provided from the National Research, Development and Innovation Fund of Hungary, financed under the 2018-1.2.1-NKP funding scheme and partially supported by grant TUDFO/47138-1/2019-ITM of the Ministry for Innovation and Technology, Hungary. Furthermore, Péter Hegedűs was supported by the Bolyai János Scholarship of the Hungarian Academy of Sciences and the ÚNKP-19-4-SZTE-20 New National Excellence Program of the Ministry for Innovation and Technology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://git-scm.com/.

  2. 2.

    https://github.com/aatlasis/cve_manager.

  3. 3.

    https://github.com/gaborantal/cve_manager.

  4. 4.

    https://www.mitre.org/.

  5. 5.

    https://www.postgresql.org/about/.

  6. 6.

    https://github.com/gaborantal/git-log-parser.

  7. 7.

    https://github.com/gaborantal/cve-miner.

  8. 8.

    https://airtable.com/product.

  9. 9.

    https://cwe.mitre.org/data/definitions/119.html.

  10. 10.

    https://cwe.mitre.org/data/definitions/20.html.

  11. 11.

    Common Vulnerability Scoring System, as presented by Mell et al.  [9].

  12. 12.

    https://cwe.mitre.org/data/definitions/79.html.

References

  1. Abunadi, I., Alenezi, M.: Towards cross project vulnerability prediction in open source web applications. In: Proceedings of the The International Conference on Engineering MIS 2015, ICEMIS 2015. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2832987.2833051

  2. Behera, R.K., Shukla, S., Rath, S.K., Misra, S.: Software reliability assessment using machine learning technique. In: Gervasi, O., et al. (eds.) ICCSA 2018. LNCS, vol. 10964, pp. 403–411. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95174-4_32

    Chapter  Google Scholar 

  3. Bishop, M.: Introduction to Computer Security, vol. 50. Addison-Wesley, Boston (2005)

    Google Scholar 

  4. Camilo, F., Meneely, A., Nagappan, M.: Do bugs foreshadow vulnerabilities? a study of the chromium project. In: 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, pp. 269–279 (2015)

    Google Scholar 

  5. Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, pp. 131–138 (2006)

    Google Scholar 

  6. Kuhn, D., Raunak, M., Kacker, R.: An analysis of vulnerability trends, 2008–2016, pp. 587–588, July 2017. https://doi.org/10.1109/QRS-C.2017.106

  7. Li, F., Paxson, V.: A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2201–2215 (2017)

    Google Scholar 

  8. Li, X., et al.: A mining approach to obtain the software vulnerability characteristics. In: 2017 Fifth International Conference on Advanced Cloud and Big Data (CBD), pp. 296–301 (2017)

    Google Scholar 

  9. Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Privacy 4(6), 85–89 (2006)

    Article  Google Scholar 

  10. MITRE Corporation: CVE - Common Vulnerabilities and Exposures (2020). https://cve.mitre.org/. Accessed 29 Apr 2020

  11. MITRE Corporation: CWE - Common Weakness Enumeration (2020). https://cwe.mitre.org/. Accessed 29 Apr 2020

  12. Munaiah, N., Camilo, F., Wigham, W., Meneely, A., Nagappan, M.: Do bugs foreshadow vulnerabilities? an in-depth study of the chromium project. Empirical Softw. Eng. 22, 1305–1347 (2016)

    Article  Google Scholar 

  13. Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 529–540. Association for Computing Machinery, New York (2007). https://doi.org/10.1145/1315245.1315311

  14. Péter, G., et al.: BugsJS: a benchmark of JavaScript bugs. In: Proceedings of the 12th IEEE Conference on Software Testing, Validation and Verification (ICST), pp. 90–101. IEEE, April 2019. https://doi.org/10.1109/ICST.2019.00019

  15. Rahimi, S., Zargham, M.: Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database. IEEE Trans. Reliab. 62(2), 395–407 (2013)

    Article  Google Scholar 

  16. Shahzad, M., Shafiq, M.Z., Liu, A.X.: A large scale exploratory analysis of software vulnerability life cycles. In: 2012 34th International Conference on Software Engineering (ICSE), pp. 771–781 (2012)

    Google Scholar 

  17. Shukla, S., Behera, R.K., Misra, S., Rath, S.K.: Software reliability assessment using deep learning technique. In: Chakraverty, S., Goel, A., Misra, S. (eds.) Towards Extensible and Adaptable Methods in Computing, pp. 57–68. Springer, Singapore (2018). https://doi.org/10.1007/978-981-13-2348-5_5

    Chapter  Google Scholar 

  18. Sliwerski, J., Zimmermann, T., Zeller, A.: When do changes induce fixes? In: Proceedings of the 2005 International Workshop on Mining Software Repositories, MSR 2005. pp. 1–5. Association for Computing Machinery, New York (2005). https://doi.org/10.1145/1083142.1083147

  19. Śliwerski, J., Zimmermann, T., Zeller, A.: When do changes induce fixes? In: Proceedings of the 2005 International Workshop on Mining Software Repositories, MSR 2005, pp. 1–5. Association for Computing Machinery, New York (2005). https://doi.org/10.1145/1083142.1083147

  20. U.S. National Institute of Standards and Technology: National Vulnerability Database (2020). https://nvd.nist.gov/home. Accessed 29 Apr 2020

  21. Vaidya, R.K., De Carli, L., Davidson, D., Rastogi, V.: Security issues in language-based software ecosystems. arXiv preprint arXiv:1903.02613 (2019)

  22. Vásquez, M.L., Bavota, G., Escobar-Velasquez, C.: An empirical study on android-related vulnerabilities. In: Proceedings of the IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 2–13 (2017)

    Google Scholar 

  23. Wijayasekara, D., Manic, M., Wright, J.L., McQueen, M.: Mining bug databases for unidentified software vulnerabilities. In: 2012 5th International Conference on Human System Interactions, pp. 89–96 (2012)

    Google Scholar 

  24. Wu, L.L., Xie, B., Kaiser, G.E., Passonneau, R.: Bugminer: Software reliability analysis via data mining of bug reports (2011)

    Google Scholar 

  25. Xu, Z., Chen, B., Chandramohan, M., Liu, Y., Song, F.: Spain: security patch analysis for binaries towards understanding the pain and pills. In: Proceedings of the IEEE/ACM 39th International Conference on Software Engineering (ICSE), pp. 462–472, May 2017. https://doi.org/10.1109/ICSE.2017.49

Download references

Author information

Authors and Affiliations

  1. Department of Software Engineering, University of Szeged, Szeged, Hungary

    Gábor Antal, Balázs Mosolygó, Norbert Vándor & Péter Hegedűs

  2. MTA-SZTE Research Group on Artificial Intelligence, Szeged, Hungary

    Péter Hegedűs

Authors
  1. Gábor Antal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Balázs Mosolygó
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Norbert Vándor
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Péter Hegedűs
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Péter Hegedűs .

Editor information

Editors and Affiliations

  1. University of Perugia, Perugia, Italy

    Osvaldo Gervasi

  2. University of Basilicata, Potenza, Potenza, Italy

    Beniamino Murgante

  3. Chair- Center of ICT/ICE, Covenant University, Ota, Nigeria

    Sanjay Misra

  4. University of Cagliari, Cagliari, Italy

    Chiara Garau

  5. University of Cagliari, Cagliari, Italy

    Ivan Blečić

  6. Clayton School of Information Technology, Monash University, Clayton, VIC, Australia

    David Taniar

  7. Department of Information Science, Kyushu Sangyo University, Fukuoka, Japan

    Bernady O. Apduhan

  8. University of Minho, Braga, Portugal

    Ana Maria A. C. Rocha

  9. Polytechnic University of Bari, Bari, Italy

    Eufemia Tarantino

  10. Polytechnic University of Bari, Bari, Italy

    Carmelo Maria Torre

  11. Department of Neurology, University of Massachusetts Medical School, Worcester, MA, USA

    Yeliz Karaca

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Antal, G., Mosolygó, B., Vándor, N., Hegedűs, P. (2020). A Data-Mining Based Study of Security Vulnerability Types and Their Mitigation in Different Languages. In: Gervasi, O., et al. Computational Science and Its Applications – ICCSA 2020. ICCSA 2020. Lecture Notes in Computer Science(), vol 12252. Springer, Cham. https://doi.org/10.1007/978-3-030-58811-3_72

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58811-3_72

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58810-6

  • Online ISBN: 978-3-030-58811-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation