As the world continues to embrace a completely digital society in all aspects of life, the ever present threat of a security flaw in a software system looms. Especially with a stream of high profile security flaws and breaches, the public is more aware of the risk now than ever before.
However, the realities of any software project is that there are engineering concerns of the utmost importance that all demand simultaneous attention. To balance and manage these challenges, software engineering has developed patterns of industry activities and best practices. Yet even as engineers rely on these practices to stay afloat, managing security can become elusive in a tangled mess of complex relationships between systems. Modern software projects rely upon other software to do its job; only the most niche and specialized software lives in isolation in today's industry.
In this work, we present an approach to help alleviate one of the aspects of actively managing security in a software project. The objectives of this approach are 1) to establish the presence of a known vulnerability in a software project version and 2) to develop a set of versions of a software project which identify vulnerability status. We tested the approach on three Apache Software Foundation projects, for a total of eleven vulnerabilities tested. In the analysis of the results, we find that the approach is conservative in marking a particular version $not~vulnerable$, but when it does so, it is completely consistent with the evaluation results. This conservative nature is a beneficial characteristic of the approach when considering the context of software security in which it operates.
Library of Congress Subject Headings
Computer software--Security measures
Software Engineering (MS)
Department, Program, or Center
Software Engineering (GCCIS)
Cabrey, Craig, "Identifying the Presence of Known Vulnerabilities in the Versions of a Software Project" (2016). Thesis. Rochester Institute of Technology. Accessed from
RIT – Main Campus