We approach the study of software security from the perspective of software engineering: how do we build secure software from the start? Thus, the primary focus of our software security research is in the prevention (or pre-release detection) of security vulnerabilities in software systems. We view a security vulnerability as an instance of a fault (i.e. bug) in a program that violates an implicit or explicit security policy.
In the Realsearch group, our primary method for studying software security is empirical analysis. Security vulnerabilities can be introduced into a system in a variety of ways; perhaps the code is too complex, changing too often, or not being changed by the right people. We take these potential causes and capture them in software metrics. We then examine if statistical correlations between software metrics and security vulnerabilities in a given system.
For example, one of our studies found that, in the Linux kernel, source code files changed by nine developers or more were 16 times more likely to have at least one post-release security vulnerability. With this kind of result, we are directing researchers and practitioners alike to investigate the potential causes of this connection as a way to produce secure software.
The two main contributions of our work are (a) predictive models, and (b) useful statistical associations that guide us in understanding what it takes to build secure software.