Vulnerability Detection is Just the Beginning
It addresses the problem of insufficient guidance for decision-makers in selecting vulnerability detection tools, but appears incremental as it builds on existing empirical analysis without introducing new methods.
This research aims to help software project managers choose vulnerability detection techniques by empirically analyzing their efficiency and effectiveness, examining relationships between technique, vulnerability type, exploitability, and fix effort in controlled and open-source projects.
Vulnerability detection plays a key role in secure software development. There are many different vulnerability detection tools and techniques to choose from, and insufficient information on which vulnerability detection techniques to use and when. The goal of this research is to assist managers and other decision-makers on software projects in making informed choices about the use of different software vulnerability detection techniques through empirical analysis of the efficiency and effectiveness of each technique. We will examine the relationships between the vulnerability detection technique used to find a vulnerability, the type of vulnerability found, the exploitability of the vulnerability, and the effort needed to fix a vulnerability on two projects where we ensure all vulnerabilities found have been fixed. We will then examine how these relationships are seen in Open Source Software more broadly where practitioners may use different vulnerability detection techniques, or may not fix all vulnerabilities found due to resource constraints.