Orthogonal Security Defect Classification for Secure Software Development

Hunny, UMME

31 October 2012

Security defects or vulnerabilities are inescapable in software development. Thus, it is always better to address security issues during the software development phases, rather than developing patches after the security threats are already in place. In line with this, a number of secure software development approaches have been proposed so far to address the security issues during the development processes. However, most of these approaches lack specific process improvement activities. The practice of taking adequate corrective measures at the earliest possible time by learning from the past mistakes is absent in case of such security-aware iterative software development processes. As one might imagine, software security defect data provide an invaluable source of information for a software development team. This thesis aims at investigating existing security defect classification schemes and providing a structured security-specific defect classification and analysis methodology. Our methodology which we build on top of the Orthogonal Defect Classification (ODC) scheme, is customized to generate in-process feedback by analyzing security defect data. More specifically, we perform a detailed analysis on the classified security defect data and obtain in-process feedback using which the next version of software can be more secure and reliable. We experiment our methodology on the Mozilla Firefox and Chrome security defect repositories using six consecutive versions and milestones, respectively. We find that the in-process feedback generated by applying this methodology can help take corrective actions as early as possible in iterative secure software development processes. Finally, we study the correlations between software security defect types and the phases of software development life-cycle to understand development improvement by complementing the previous ODC scheme. / Thesis (Master, Computing) -- Queen's University, 2012-10-30 15:47:34.47

Security defect classification

Software security

Developing a Simplified and Consistent Defect Taxonomy for Smaller Enterprises / Att utveckla en förenklad och konsekvent defekttaxonomi för mindre företag

Iivanainen, Johanna

January 2021

Developing software that meets the customers’ requirements, expectations, and quality standards is a challenging task for all software organizations. As modern software becomes more and more complex, so do the defects of the software. The aim of this study was to develop a simplified and consistent defect taxonomy that could be executable and usable for smaller enterprises or organizations that want to implement a simplified taxonomy. The aim of this study was also to find characteristic defects that exist in Small- and Medium-sized Enterprises (SMEs) by using the taxonomy. A manual defect classification was done on bug reports collected from three organizations with the same company size as SMEs. An agreement analysis was also conducted in this study to investigate the consistency of the taxonomy. This was done by letting different people classify a subset of the bug reports collected for this study using the proposed taxonomy. Furthermore, in this study, I also investigated how executable and usable the taxonomy would be for smaller enterprises. This was done through four interviews and a survey with seven respondents. The result of the defect classification indicates that Program anomaly (58%), GUI (17%) and Configuration (13%) are three of the most common defect types that exist in SMEs. The result of the defect classification indicates that SMEs have a problem with defects breaking features that worked correctly before, where 19% of all bug reports used in this study were classified as Regression. The survey result indicates that taxonomy is easy to use. However, the result of the different classifications showed that the use of the taxonomy is not consistent between different classifiers. The results of the interviews and the survey indicate that the taxonomy would be executable for smaller enterprises. However, to also be fully usable, the proposed taxonomy needs to be adapted to the particular enterprise, and requires the right competence to propose appropriate measures for the particular enterprise. / Att utveckla mjukvara som möter kundernas krav, förväntningar och som håller en hög kvalité är en utmanande uppgift som alla företag står inför. Den moderna mjukvaran blir allt mer komplex, vilket i sin tur även bidrar till fler och mer komplexa mjukvarufel. Den här studien har som mål att skapa en ny förenklad och konsekvent defekttaxonomi som kan vara genomförbar och användbar för mindre företag och organisationer som vill använda sig av en enklare taxonomi. Målet med det här examensarbetet är också att kartlägga karaktäristiska mjukvarufel i små och medelstora företag med hjälp av den nyutvecklade taxonomin. För att lyckas med detta klassificerades felrapporter från tre organisationer som är av samma storlek som små och medelstora företag. Den här studien analyserade även hur konsekvent taxonomin är genom att låta olika människor klassificera en delmängd av studiens felrapporter. Den här studien undersöker även hur genomförbar och användbar defekttaxonomin är för mindre företag. Detta genomfördes genom fyra intervjuer och en enkätundersökning med sju respondenter. Resultatet av den här studien indikerar att små och medelstora företag främst har problem med mjukvarufel som ger upphov till oväntat och oönskat beteende kopplat till mjukvarans funktionalitet (58%). Den här studien indikerar även att gränssnittsdefekter (17%) och konfigureingsproblem (13%) också är vanliga mjukvarufel inom dessa organisationer. Den här studien har även uppmärksammat att mindre företag kan ha problem med mjukvarufel som tar sönder funktionalitet som fungerat korrekt tidigare, även kallad regressioner, där 19% av alla felrapporter blev klassificerade som det. Resultatet av enkätundersökningen indikerar att taxonomin är enkel att använda. Å andra sidan, de olika klassifikationerna visade att användningen av taxonomin inte var konsekvent. Resultatet av intervjuerna och enkätundersökningen indikerar att taxonomin är genomförbar för mindre företag. Å andra sidan, för att defekttaxonomin ska vara användbar behöver den anpassas efter det särskilda företaget. Den kräver även den rätta kompetensen för att ta fram lämpliga åtgärden för det särskilda företaget.

Defect Taxonomy

Defect Classification

Small- and Medium-sized Enterprises

Software Defects

Manual Defect Classification.

Defekttaxonomi

Defektklassifikation

Små och medelstora företag

Mjukvarufel

Manuell defektklassificering.

Computer Sciences

Datavetenskap (datalogi)

Defect classification in LPBF images using semi-supervised learning

Göransson, Anton

January 2022

Laser powder bed fusion is an additive manufacturing technique that is capable of building metallic parts by spreading many layers of metal powder over a build surface and using a laser to melt specific sections of the surface. The part is built by melting consecutive layers on top of each other until the design is completed. However, during this process defects can occur. These defects have impacts on the part’s physical properties, and it is important to detect them for quality assurance. A single part takes several hundred or thousands of layers to build. While each layer is built, cameras and sensors are used to create images of each layer. These images are used for identification and classification of defects that could have a negative impact on a printed part’s physical properties, such as tensile strength. Classification of defects would reduce manual inspection of the printed part. Thus, the classification of defects in each layer must be automated, as it would be infeasible to manually classify each layer. Recently, machine learning have proven to be an effective method for automating defect classification in laser powder bed fusion. However, machine learning and especially deep-learning approaches generally require a large amount of labeled training data, which is typically not available for laser powder bed fusion printed parts. Labeling of images requires manual labor and domain knowledge. One of the greatest obstacles in defect classification, is how machine learning can be applied despite this absence of labeled data. A machine learning approach that show potential for being trained with less data, is the siamese neural network approach. In this thesis, a novel approach for automating defect classification is developed, using layer images from a laser powder bed fusion printing process. In order to cope with the limited access to labeled data, the classifiers are based on the siamese neural network structure. Two siamese neural network structures are developed, a one-shot classifier, which directly classifies the instance, and a hierarchical classifier with a hierarchical classification process according to the hierarchy of the defect classes. The classifiers are evaluated by inferring a test set of images collected from the laser powder bed fusion process. The one-shot classifier is able to classify the images with an accuracy of 70%and the hierarchical classifier with an accuracy of 86%. For the hierarchical classifier area of the ROC curves were calculated to be, 0.96 and 0.95 for the normal vs defect and overheating vs spattering stages respectively. Unlabeled images were added to the training set of a new instance of the hierarchical classifier, which could infer the test set without any major changes to test set accuracy.

Additive manufacturing

Laser powder bed fusion

Machine learning

Siamese neural networks

Deep learning

Defect classification

Computer and Information Sciences

Data- och informationsvetenskap

Computer Sciences

Datavetenskap (datalogi)