In August we received the visit of Prof. Dr. José Alexandre D’Abruzzo Pereira, from the University of Coimbra. His research interests include security and vulnerability detection, static code analysis, software project management, databases, software quality, cloud computing, and self-adaptive systems.
Lecture information:
Title: “Software Security Characterization through Static Data Analysis – Results and Future Research Direction”
Abstract:
Modern enterprises rely on software systems to run their business: financial, healthcare, government, and e-commerce, among many others. However, many systems are deployed with vulnerabilities caused by a design flaw or an implementation bug. The malicious exploitation of those security vulnerabilities may lead to various problems with financial or legal implications. Static Code Analysis (SCA) is a vulnerability detection technique that reports potential problems (alerts) without requiring the execution of the code. This is done through the use of Static Analysis Tools (SATs). However, such tools are frequently too expensive for most organizations, and they either report many false positives or false negatives. Consequently, developers are required to spend a considerable amount of time analyzing the reported cases without being sure that all vulnerabilities have been detected.
In this talk, I will present techniques to characterize of software code units (e.g., functions) from a security vulnerability perspective, making use of static data from the source code. The used dataset contains vulnerabilities from five open-source C/C++ projects (Linux Kernel, Mozilla, Xen, Apache httpd, and glibc), and static data (Software Metrics (SMs) and alerts from SATs) extracted from the vulnerable and neutral versions of the code. Vulnerabilities are organized into categories, devised based on the improper or lack of use of the OWASP best practices. Additionally, I will present the future research direction using static data to characterize software code units.
Short Bio:
José D’Abruzzo Pereira holds a Ph.D. in Informatics Engineering from the University of Coimbra (UC), is currently an Invited Assistant Professor at the University of Coimbra, and a member of the Software and System Engineering (SSE) group at CISUC. His research interests include security and vulnerability detection, static code analysis, software project management, databases, software quality, cloud computing, and self-adaptive systems. He received a MSc in Information Technology and Software Engineering from the University of Coimbra and Carnegie Mellon University and a B.Sc. in Computer Science from the State University of Campinas – Brazil (Unicamp). He is also acting as a professor in the Specialization in Software Engineering at the State University of Campinas – Brazil (Unicamp).
