A5052260794- Software Engineering Research
- Information and Cyber Security
- Advanced Malware Detection Techniques
- Software Reliability and Analysis Research
- Web Application Security Vulnerabilities
- Network Security and Intrusion Detection
- Chromium effects and bioremediation
- Software System Performance and Reliability
- Digital and Cyber Forensics
- Open Source Software Innovations
- Software Engineering Techniques and Practices
- Online Learning and Analytics
- Software Testing and Debugging Techniques
- Interpreting and Communication in Healthcare
- Language, Discourse, Communication Strategies
- Hate Speech and Cyberbullying Detection
- Digital Marketing and Social Media
- Scientific Computing and Data Management
- Topic Modeling
- Anomaly Detection Techniques and Applications
- Technology Adoption and User Behaviour
- Natural Language Processing Techniques
- Mobile and Web Applications
Rochester Institute of Technology
2016-2022
The Common Vulnerability Scoring System (CVSS) is the de facto standard for vulnerability severity measurement today and crucial in analytics driving software fortification. Required by U.S. National Database, over 75,000 vulnerabilities have been scored using CVSS. We compare how CVSS correlates with another, closely-related measure of security impact: bounties. Recent economic studies disclosure processes show a clear relationship between black market value bounty payments. analyzed scores...
Mobile app developers today have a hard decision to make: independently develop native apps for different operating systems or an that is cross-platform compatible. The availability of tools and approaches support development only makes the harder. In this study, we used user reviews empirically understand relationship (if any) between approach in its perceived quality. We Natural Language Processing (NLP) models classify 787,228 Android version iOS 50 as complaints one four quality...
Background: Inculcating an attacker mindset (i.e. learning to think like attacker) is essential skill for engineers and administrators improve the overall security of software. Describing approach that adversaries use discover exploit vulnerabilities infiltrate software systems can help inform such mindset. Aims: Our goal assist developers in inculcating by proposing codify behavior cybersecurity penetration testing competition. Method: We existing multimodal dataset events captured during...
Software forges like GitHub host millions of repositories. engineering researchers have been able to take advantage such a large corpora potential study subjects with the help tools GHTorrent and Boa. However, simplicity in querying comes caveat: there are limited means separating signal (e.g. repositories containing engineered software projects) from noise home work assignments). The proportion random sample could skew may lead reaching unrealistic, potentially inaccurate, conclusions. We...
When reasoning about software security, researchers and practitioners use the phrase ``attack surface'' as a metaphor for risk. Enumerate minimize ways attackers can break in then risk is reduced system better protected, says. But systems are much more complicated than their surfaces. We propose function- file-level attack surface metrics---proximity risky walk---that enable fine-grained assessment. Our walk metric highly configurable: we PageRank on probability-weighted call graph to...
Existing work on identifying security requirements relies training binary classification models using domain-specific data sets to achieve a high accuracy. Considering that are often not readily available, we propose domain-independent model for classifying based two key ideas. First, train our the description of weaknesses from Common Weakness Enumeration (CWE) set. Although CWE does describe requirements, it describes manifestations unrealized requirements. Second, exploit one-class only...
The success or failure of a mobile application (`app') is largely determined by user ratings. Users frequently make their app choices based on the ratings apps in comparison with similar, often competing apps. also expect to continually provide new features while maintaining quality, drop. At same time must be secure, but there historical trade-off between security and ratings? Or are store more all-encompassing measure product maturity? We used static analysis tools collect security-related...
Android applications rely on a permission-based model to carry out core functionality. Appropriate permission usage is imperative for ensuring device security and protecting the user's desired privacy levels. But who making important decisions of which permissions app should request? Are they experienced developers with appropriate project knowledge make such decisions, or are these crucial choices being made by those relatively minor amounts contributions project? When permission-related in...
The Android platform comprises the vast majority of mobile market. Unfortunately, apps are not immune to issues that plague conventional software including security vulnerabilities, bugs, and permission-based problems. In order address these issues, we need a better understanding use everyday. Over course more than year, collected reverse engineered 64,868 from Google Play store as well 1,669 malware samples several sources. Each app was analyzed using static analysis tools collect variety...
Software metrics help developers discover and fix mistakes. However, despite promising empirical evidence, vulnerability discovery are seldom relied upon in practice. In prior research, the effectiveness of these has typically been expressed using precision recall a prediction model that uses as explanatory variables. These models, being black boxes, may not be perceived useful by developers. systematically interpreting models metrics, we can provide with nuanced insights about factors have...
Benjamin S. Meyers, Nuthan Munaiah, Emily Prud’hommeaux, Andrew Meneely, Josephine Wolff, Cecilia Ovesdotter Alm, Pradeep Murukannaiah. Proceedings of the 56th Annual Meeting Association for Computational Linguistics (Volume 2: Short Papers). 2018.
Software forges like GitHub host millions of repositories. engineering researchers have been able to take advantage such a large corpora potential study subjects with the help tools GHTorrent and Boa. However, simplicity in querying comes caveat: there are limited means separating signal (e.g. repositories containing engineered software projects) from noise home work assignments). The proportion random sample could skew may lead reaching unrealistic, potentially inaccurate, conclusions. We...
Experts suggest that engineering secure software requires a defensive mindset to be ingrained in developer culture, which could reflected conversation. But what does conversation about security real project look like? Linguists analyze wide array of characteristics: lexical, syntactic, semantic, and pragmatic. Pragmatics focus on identifying the style tone author's language. If different mindset, then perhaps this would conversations' pragmatics. Our goal is characterize pragmatic features...
The rapid pace with which software needs to be built, together the increasing need evaluate changes for end users both quantitatively and qualitatively calls novel engineering approaches that focus on short release cycles, continuous deployment delivery, experiment-driven feature development, feedback from users, tool-assisted developers. To realize these there is a research innovation respect automation tooling, furthermore into organizational support flexible data-driven decision-making in...
As more aspects of our daily lives rely on technology, the software that enables technology must be secure. Developers practices such as threat modeling, static and dynamic analyses, code review, fuzz penetration testing to engineer secure software. These practices, while effective at identifying vulnerabilities in software, are limited their ability describe potential reasons for existence vulnerabilities. In order overcome this limitation, researchers have proposed empirically validated...
In this report, we describe the review protocol that will guide systematic of literature in metrics-based discovery vulnerabilities. The have been developed adherence with guidelines for performing Systematic Literature Reviews Software Engineering prescribed by Kitchenham and Charters.