2019
Nembhard, Fitzroy D.; Carvalho, Marco M.; Eskridge, Thomas C.
Towards the Application of Recommender Systems to Secure Coding Journal Article
In: EURASIP Journal on Information Security, vol. 2019, no. 1, pp. 9, 2019, ISBN: 2510-523X.
Abstract | Links | BibTeX | Tags: ab testing, bugs, code security, intellisense, java, minhash, recommender systems, simhash, software quality, user study, vulnerability detection
@article{nembhard_recommender_journal,
title = {Towards the Application of Recommender Systems to Secure Coding},
author = {Fitzroy D. Nembhard and Marco M. Carvalho and Thomas C. Eskridge},
url = {https://doi.org/10.1186/s13635-019-0092-4},
doi = {10.1186/s13635-019-0092-4},
isbn = {2510-523X},
year = {2019},
date = {2019-06-13},
urldate = {2019-06-13},
journal = {EURASIP Journal on Information Security},
volume = {2019},
number = {1},
pages = {9},
abstract = {Secure coding is crucial for the design of secure and efficient software and computing systems. However, many programmers avoid secure coding practices for a variety of reasons. Some of these reasons are lack of knowledge of secure coding standards, negligence, and poor performance of and usability issues with existing code analysis tools. Therefore, it is essential to create tools that address these issues and concerns. This article features the proposal, development, and evaluation of a recommender system that uses text mining techniques, coupled with IntelliSense technology, to recommend fixes for potential vulnerabilities in program code. The resulting system mines a large code base of over 1.6 million Java files using the MapReduce methodology, creating a knowledge base for a recommender system that provides fixes for taint-style vulnerabilities. Formative testing and a usability study determined that surveyed participants strongly believed that a recommender system would help programmers write more secure code.},
keywords = {ab testing, bugs, code security, intellisense, java, minhash, recommender systems, simhash, software quality, user study, vulnerability detection},
pubstate = {published},
tppubtype = {article}
}
Nembhard, Fitzroy; Carvalho, Marco
The Impact of Interface Design on the Usability of Code Analyzers Proceedings Article
In: 2019 SoutheastCon, pp. 1-6, 2019.
Links | BibTeX | Tags: ab testing, code analysis, code security, ui design, user study, vulnerability detection
@inproceedings{nembhard2019_analyzer_usability,
title = {The Impact of Interface Design on the Usability of Code Analyzers},
author = {Fitzroy Nembhard and Marco Carvalho},
doi = {10.1109/SoutheastCon42311.2019.9020339},
year = {2019},
date = {2019-04-11},
urldate = {2019-04-11},
booktitle = {2019 SoutheastCon},
pages = {1-6},
keywords = {ab testing, code analysis, code security, ui design, user study, vulnerability detection},
pubstate = {published},
tppubtype = {inproceedings}
}
2018
Nembhard, Fitzroy; Carvalho, Marco; Eskridge, Thomas
Extracting Knowledge from Open Source Projects to Improve Program Security Proceedings Article
In: SoutheastCon 2018, pp. 1-7, 2018.
Abstract | Links | BibTeX | Tags: code repositories, code security, data mining, knowledge extraction, software security, SQL injection, SQLI, text mining
@inproceedings{ExtractingKnowledge,
title = {Extracting Knowledge from Open Source Projects to Improve Program Security},
author = {Fitzroy Nembhard and Marco Carvalho and Thomas Eskridge},
doi = {10.1109/SECON.2018.8478906},
year = {2018},
date = {2018-04-19},
urldate = {2018-04-19},
booktitle = {SoutheastCon 2018},
pages = {1-7},
abstract = {Open source repositories contain a wealth of unstructured and unlabeled data from which useful knowledge can be extracted. This knowledge can be applied in a wide range of applications such as discovering how programmers improve their programs over time and finding patterns to detect and mitigate vulnerabilities. In this work, we propose to use text mining and machine learning to extract knowledge from open source code in order to categorize and structure source code. By mining a subset (over 600,000 Java files) of a 2011 dataset that contains over 70,000 open source projects, we present a case study showing that useful patterns can be extracted from source code and that these patterns can be used to create a recommender system to help programmers avoid unsafe practices. We demonstrate the utility of our proposed techniques by applying them to the detection of SOL Injection.},
keywords = {code repositories, code security, data mining, knowledge extraction, software security, SQL injection, SQLI, text mining},
pubstate = {published},
tppubtype = {inproceedings}
}
2017
Nembhard, Fitzroy; Carvalho, Marco; Eskridge, Thomas
A Hybrid Approach to Improving Program Security Proceedings Article
In: 2017 IEEE Symposium Series on Computational Intelligence (SSCI), 2017.
Abstract | BibTeX | Tags: code security, cybersecurity, recommender systems, topic modeling, vulnerability detection, vulnerability mitigation
@inproceedings{nembhard_hybrid_2017,
title = {A Hybrid Approach to Improving Program Security},
author = {Fitzroy Nembhard and Marco Carvalho and Thomas Eskridge},
year = {2017},
date = {2017-11-27},
urldate = {2017-11-27},
booktitle = {2017 IEEE Symposium Series on Computational Intelligence (SSCI)},
abstract = {The security of computer programs and systems is a very critical issue. With the number of attacks launched on computer networks and software, businesses and IT professionals are taking steps to ensure that their information systems are as secure as possible. However, many programmers do not think about adding security to their programs until their projects are near completion. This is a major mistake because a system is as secure as its weakest link. If security is viewed as an afterthought, it is highly likely that the resulting system will have a large number of vulnerabilities, which could be exploited by attackers. One of the reasons programmers overlook adding security to their code is because it is viewed as a complicated or time-consuming process. This paper presents a tool that will help programmers think more about security and add security tactics to their code with ease. We created a model that learns from existing open source projects and documentation using machine learning and text mining techniques. Our tool contains a module that runs in the background to analyze code as the programmer types and offers suggestions of where security could be included. In addition, our tool fetches existing open source implementations of cryptographic algorithms and sample code from repositories to aid programmers in adding security easily to their projects.},
keywords = {code security, cybersecurity, recommender systems, topic modeling, vulnerability detection, vulnerability mitigation},
pubstate = {published},
tppubtype = {inproceedings}
}