Informed Vulnerability Assessment


Informed Vulnerability Assessment allows us to improve the state of practice in statically, dynamically, and manually analyze the security of an application by suggesting three ranking system: Rule Ranking, Criticality Ranking and Risk Ranking. It works as follows: 

  1. Rule Ranking information could be used to determine which rules are relevant for a given category of application, thus increasing the speed at which static analyzer can execute and produce feedback.
  1. Criticality Ranking information is used to determine which vulnerabilities detected by static analysis should be dynamically analyzed first,
  1. Risk Ranking information is used by a security analyst to determine what are the risks likely to be posed by an application of a given category, thus informing the manual inspection process.
The following framework depicts an overview of developing the three ranking system process. 


Rule Ranking (1 dimensional)
Risk Ranking (2 dimensional)

Component Name Description Research Artifacts and Experimental Data

Vulnerability Detection Rules A set of security vulnerability patterns in the source code. Fortify embedded Java rule-pack, ver. 2012.3.0.0008 Provided by W.Enck as a part ofded Project
Categorized Repository An open-source software repository - each software application is labeled with a predefined class or category.

Static Analyzer A tool that inspects the code repository and looks for
any instance that matches the patterns defined in the rules.

Analysis Reports

The results of static analysis and consists of all locations in the code that are detected as potential vulnerabilities.

app spec template (.txt) and app analysis report template (.xml)
Java app spec set (.zip) andanalysis reports collection (.zip) Android app spec set (.zip) andanalysis reports collection (.zip)
Probabilistic Rule Classifier A probabilistic classifier that ranks each vulnerability based on its frequency in the Analysis Report. Classifier Source Code
Rule Ranking Higher score means that it is more likely for the corresponding rule to detect a vulnerability in that category. Java Rule Ranking and Frequency Scores Android Rule Ranking and Frequency Scores
Vulnerability Impact Calculator Ranks each vulnerability based on its threats to various security aspects of the system (i.e, Confidentiality, Integrity, and Availability)

N/A Android CVSS-based survey form
Criticality Ranking Higher impact means the more severe would be the consequences of an exploit. N/A Android Criticality Ranking and Impact Scores
Risk Assessor Combines the two previous scores (i.e., frequency score and impact score) and provides a new two dimensional score. N/A  
Risk Ranking Provides an assessment of security rules in each software category based on the severity and likelihood of each vulnerability. N/A Android Risk Ranking and Scores