CN104008057A - Code safety evaluating method based on defect analysis - Google Patents

Code safety evaluating method based on defect analysis Download PDF

Info

Publication number
CN104008057A
CN104008057A CN201410262288.XA CN201410262288A CN104008057A CN 104008057 A CN104008057 A CN 104008057A CN 201410262288 A CN201410262288 A CN 201410262288A CN 104008057 A CN104008057 A CN 104008057A
Authority
CN
China
Prior art keywords
code
defect
value
risk class
pea
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410262288.XA
Other languages
Chinese (zh)
Other versions
CN104008057B (en
Inventor
范杰
石聪聪
郭骞
高鹏
李尼格
蒋诚智
俞庚申
冯谷
余勇
曹宛恬
鲍兴川
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Smart Grid Research Institute of SGCC
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI filed Critical State Grid Corp of China SGCC
Priority to CN201410262288.XA priority Critical patent/CN104008057B/en
Publication of CN104008057A publication Critical patent/CN104008057A/en
Application granted granted Critical
Publication of CN104008057B publication Critical patent/CN104008057B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention provides a code safety evaluating method based on defect analysis. The code safety evaluating method comprises the step 1 of acquiring the threat degree DW of code debt WA, the step 2 of constructing a code debt library, the step 3 of carrying out quantitative analysis on codes, and the step 4 of acquiring the safety values TA of the codes. Compared with the prior art, the code safety evaluating method based on the defect analysis can comprehensively quantize and evaluate code safety from code debt writing generation, code debt writing prevention and results of writing personnel quality in code environment coefficients EVA. Thus, the accuracy of code safety evaluation is improved, code safety is improved, and the whole safety of application systems is enhanced.

Description

A kind of code safety evaluation method based on defect analysis
Technical field
The present invention relates to a kind of code safety evaluation method, be specifically related to a kind of code safety evaluation method based on defect analysis.
Background technology
Along with going deep into gradually of informatization, information security is attacked trend variation has also been occurred, and changes to attacking application system from attacking system and network in the past.Add up according to internal authority advisory organization Gartner, current 75% information security is attacked and is all occurred in application system aspect and not in System and Network aspect, and in network, common attack is attacked development gradually by traditional system vulnerability and developed into the attack to applying self weakness.Wherein, the weakness of application system self and defect are mainly because developer does not notice that the safety of writing code causes in the time encoding.
Because kind and the function of application system are more and more various, cause its code size also increasing, the security of code becomes the safety issue becoming increasingly conspicuous.The instrument in prior art, code safety being detected is more the detection that code is existed to how many defects, the security of whole code is not assessed, for example: although Fortify code security testing tool can be pointed out out the safe class of code, it only comprises high, normal, basic three kinds of safe classes.
Simultaneously different code security Study of Defects tissues, as CWE, Nist, OWASP etc., to the describing method difference of code security defect, do not have unified code security defect classification method, thereby increased the complexity and difficulties of the safety evaluation of application system overall code.
Therefore, in order to improve existing code safety evaluation method, evaluate too extensively for code safety, the limitation that the evaluation factor of introduction too lacks, provides a kind of code safety evaluation method to seem particularly important.
Summary of the invention
In order to meet the needs of prior art, the invention provides a kind of code safety evaluation method based on defect analysis, described method comprises the steps:
Step 1: the threaten degree DW that obtains code defect WA;
Step 2: build code defect storehouse;
Step 3: code is carried out to quantitative analysis;
Step 4: the security value T that obtains described code a.
Preferably, according to code classification of defects, code defect threaten degree attribute Damage is set, thereby obtains described threaten degree DW; Described code defect WA={A 1, A 2... A i... A n; Described threaten degree DW={D 1, D 2... D i... D n; Corresponding one by one between described threaten degree DW and described code defect WA;
Preferably, set up code classification of defects by Fortify, comprise serious risk class defect Critical, excessive risk class defect Hight, risk class defect Medium and low-risk class defect Low;
Preferably, build code defect storehouse according to described threaten degree DW and artificial affecting indices P EA;
The influence value of the described artificial affecting indices P EA processing mode that to be programming personnel adopt described code defect to described threaten degree DW; Described artificial affecting indices P EA={PEA 1, PEA 2... PEA i... PEA n; Corresponding one by one between described artificial affecting indices P EA and described code defect WA;
Preferably, the size of code fractional analysis in described step 3 comprises:
Step 3-1: the quantitative value C that obtains described serious risk class defect Critical n, described excessive risk class defect Hight quantitative value H n, described risk class defect Medium quantitative value M nquantitative value L with described low-risk class defect Low n;
Step 3-2: by described threaten degree DW, described artificial affecting indices P EA, described quantitative value C n, described quantitative value H n, described quantitative value M nwith described quantitative value L ncalculate respectively the threat quantized value T of described serious risk class defect Critcal c, described excessive risk class defect Hight threat quantized value T h, described risk class defect Medium threat quantized value T mthreat quantized value T with described low-risk class defect Low l;
T C = αEXP { Σ i = 0 C N D i PEA i / β } ;
T H = αEXP { Σ i = 0 H N D i PEA i / β } ;
T M = αEXP { Σ i = 0 M N D i PEA i / β } ;
wherein α, β are the coefficient that impact threatens quantized value general trend;
Preferably, in described step 4, obtain the security value T of code acomprise:
Step 4-1: obtain described programming personnel's influence coefficient PT; Described wherein, described WT ifor programming personnel's working time, described WQ ifor programming personnel's work qualification, described N are programming personnel's sum;
Step 4-2: obtain described code context coefficient EVA; Described wherein, described ET is that executable code line number, described VT are that valid code line number, described FT are that the sum of Function function, described CT are the sum of Class class;
Step 4-3: by described threat quantized value T c, threaten quantized value T h, threaten quantized value T m, low threat quantized value T lcalculate described security value with code context coefficient EVA
Compared with immediate prior art, excellent effect of the present invention is:
1,, in technical solution of the present invention, building code defect storehouse can better classify code defect, objective appraisal code safety more;
2,, in technical solution of the present invention, the processing mode that adopts artificial affecting indices P EA programming personnel can be adopted code defect adds code safety to the influence value of threaten degree DW;
3,, in technical solution of the present invention, adopt code context coefficient EVA in code safety, to add its impact of code size factor pair evaluating;
4,, in technical solution of the present invention, adopt programming personnel influence coefficient PT in code safety, to add its impact of programming personnel's working time and work qualification factor pair evaluating;
5, a kind of code safety evaluation method based on defect analysis provided by the invention, can be comprehensively from code defect is write generation, the result of writing the writer's quality prevention and code context coefficient EVA is carried out quantitative evaluation code security; Thereby improve the overall security of the degree of accuracy of code safety evaluation and the security enhancing application system of code.
Brief description of the drawings
Below in conjunction with accompanying drawing, the present invention is further described.
Fig. 1 is: a kind of code safety evaluation method process flow diagram based on defect analysis in the embodiment of the present invention.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has the element of identical or similar functions from start to finish.Be exemplary below by the embodiment being described with reference to the drawings, be intended to for explaining the present invention, and can not be interpreted as limitation of the present invention.
A kind of code safety evaluation method based on defect analysis provided by the invention, concrete steps as shown in Figure 1:
Step 1: the threaten degree DW that obtains code defect WA:
1.: set up code classification of defects by Fortify, comprise serious risk class defect Critical, excessive risk class defect Hight, risk class defect Medium and low-risk class defect Low;
Code classification of defects: AttributeSet={Critical, Hight, Medium, Low};
Code classification of defects collection: AttributeSets={CriticalWSet, HightWSet, MediumWSet, LowWSet}; .
2.: according to code classification of defects, code defect threaten degree attribute Damage is set, thereby obtains threaten degree DW; Code defect WA={A 1, A 2... A i... A n; Threaten degree DW={D 1, D 2... D i... D n; Corresponding one by one between threaten degree DW and code defect WA; In the present embodiment, the value of threaten degree DW is as shown in the table:
Step 2: build code defect storehouse;
1.: set artificial affecting indices P EA: described PEA is the influence value of programming personnel's processing mode that code defect WA is adopted to threaten degree DW; Described PEA={PEA 1, PEA 2... PEA i... PEA nwith code defect WA between corresponding one by one; The obtaining value method of described setting artificial affecting indices P EA is as shown in the table:
Kind Artificial affecting indices P EA
Code defect is not modified 1
Code defect is modified, but not exclusively 2
Code defect is rectified and improved completely 3
2.: build code defect storehouse according to threaten degree DW and artificial affecting indices P EA.
Step 3: code is carried out to quantitative analysis:
1.: the quantitative value C that obtains serious risk class defect Critical n, excessive risk class defect Hight quantitative value H n, risk class defect Medium quantitative value M nquantitative value L with low-risk class defect Low n;
2.: by threaten degree DW, artificial affecting indices P EA, quantitative value C n, quantitative value H n, quantitative value M nwith quantitative value L ncalculate respectively:
The threat quantized value of serious risk class defect Critical
The threat quantized value of excessive risk class defect Hight
The threat quantized value of risk class defect Medium
The threat quantized value of low-risk class defect Low
Wherein α, β are the coefficient that impact threatens quantized value general trend, in process of the test, and can be by regulating the numerical value adjustment of α, β to threaten the precision of quantized value operation result.
Step 4: the security value T that obtains code a;
1.: by the total FT of executable code line number ET, valid code line number VT, Function function, total CT and programming personnel's influence coefficient PT Accounting Legend Code environmental coefficient EVA of Class class,
Wherein, the numerical value of described PT is calculated by programming personnel's working time WT and work qualification WQ, PT ( Σ i = 1 N WT i * WQ i ) / N ; Wherein N is programming personnel's sum.
In the present embodiment, the obtaining value method of programming personnel's influence coefficient PT is as shown in the table:
Working time (year) WT Work qualification WQ
0-3 0.1 ≤ company 0.1
3-5 0.3 City-level 0.3
5-8 0.5 Provincial 0.5
8-10 0.8 National 0.8
More than 10 1 >=international 1
2.: by threatening quantized value T c, threaten quantized value T h, threaten quantized value T m, low threat quantized value T lwith code context coefficient EVA computational security value T a,
Finally should be noted that: described embodiment is only some embodiments of the present application, instead of whole embodiment.Based on the embodiment in the application, those of ordinary skill in the art are not making the every other embodiment obtaining under creative work prerequisite, all belong to the scope of the application's protection.

Claims (6)

1. the code safety evaluation method based on defect analysis, is characterized in that, described method comprises the steps:
Step 1: the threaten degree DW that obtains code defect WA;
Step 2: build code defect storehouse;
Step 3: code is carried out to quantitative analysis;
Step 4: the security value TA that obtains described code.
2. a kind of code safety evaluation method based on defect analysis as claimed in claim 1, is characterized in that, according to code classification of defects, code defect threaten degree attribute Damage is set, thereby obtains described threaten degree DW; Described code defect WA={A 1, A 2... A i... A n; Described threaten degree DW={D 1, D 2... D i... D n; Corresponding one by one between described threaten degree DW and described code defect WA.
3. a kind of code safety evaluation method based on defect analysis as claimed in claim 1, it is characterized in that, set up code classification of defects by Fortify, comprise serious risk class defect Critical, excessive risk class defect Hight, risk class defect Medium and low-risk class defect Low.
4. a kind of code safety evaluation method based on defect analysis as claimed in claim 1, is characterized in that, builds code defect storehouse according to described threaten degree DW and artificial affecting indices P EA;
The influence value of the described artificial affecting indices P EA processing mode that to be programming personnel adopt described code defect to described threaten degree DW; Described artificial affecting indices P EA={PEA 1, PEA 2... PEA i... PEA n; Corresponding one by one between described artificial affecting indices P EA and described code defect WA.
5. a kind of code safety evaluation method based on defect analysis as claimed in claim 1, is characterized in that, the size of code fractional analysis in described step 3 comprises:
Step 3-1: the quantitative value C that obtains described serious risk class defect Critical n, described excessive risk class defect Hight quantitative value H n, described risk class defect Medium quantitative value M nquantitative value L with described low-risk class defect Low n;
Step 3-2: by described threaten degree DW, described artificial affecting indices P EA, described quantitative value C n, described quantitative value H n, described quantitative value M nwith described quantitative value L ncalculate respectively the threat quantized value T of described serious risk class defect Critical c, described excessive risk class defect Hight threat quantized value T h, described risk class defect Medium threat quantized value T mthreat quantized value T with described low-risk class defect Low l;
T C = αEXP { Σ i = 0 C N D i PEA i / β } ;
T H = αEXP { Σ i = 0 H N D i PEA i / β } ;
T M = αEXP { Σ i = 0 M N D i PEA i / β } ;
wherein α, β are the coefficient that impact threatens quantized value general trend.
6. a kind of code safety evaluation method based on defect analysis as claimed in claim 1, is characterized in that, obtains the security value T of code in described step 4 acomprise:
Step 4-1: obtain described programming personnel's influence coefficient PT; Described wherein, described WT ifor programming personnel's working time, described WQ ifor programming personnel's work qualification, described N are programming personnel's sum;
Step 4-2: obtain described code context coefficient EVA; Described wherein, described ET is that executable code line number, described VT are that valid code line number, described FT are that the sum of Function function, described CT are the sum of Class class;
Step 4-3: by described threat quantized value T c, threaten quantized value T h, threaten quantized value T m, low threat quantized value T lcalculate described security value with code context coefficient EVA
CN201410262288.XA 2014-06-13 2014-06-13 A kind of code safety evaluation method based on defect analysis Active CN104008057B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410262288.XA CN104008057B (en) 2014-06-13 2014-06-13 A kind of code safety evaluation method based on defect analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410262288.XA CN104008057B (en) 2014-06-13 2014-06-13 A kind of code safety evaluation method based on defect analysis

Publications (2)

Publication Number Publication Date
CN104008057A true CN104008057A (en) 2014-08-27
CN104008057B CN104008057B (en) 2017-12-15

Family

ID=51368717

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410262288.XA Active CN104008057B (en) 2014-06-13 2014-06-13 A kind of code safety evaluation method based on defect analysis

Country Status (1)

Country Link
CN (1) CN104008057B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6851108B1 (en) * 1999-09-01 2005-02-01 Microsoft Corporation Verifying intermediate language code
CN101442412A (en) * 2008-12-18 2009-05-27 西安交通大学 Method for prewarning aggression based on software defect and network aggression relation excavation
CN101710306A (en) * 2009-12-15 2010-05-19 中国科学院软件研究所 Method and system for detecting software reliability
CN101819617A (en) * 2010-05-06 2010-09-01 天津大学 Software defect based method for quantificationally estimating software credibility
CN102073823A (en) * 2011-02-25 2011-05-25 天津大学 Defect analysis based software creditability evaluating method
CN102136047A (en) * 2011-02-25 2011-07-27 天津大学 Software trustworthiness engineering method based on formalized and unified software model
CN103366123A (en) * 2013-05-07 2013-10-23 天津大学 Software risk assessment method based on defect analysis

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6851108B1 (en) * 1999-09-01 2005-02-01 Microsoft Corporation Verifying intermediate language code
CN101442412A (en) * 2008-12-18 2009-05-27 西安交通大学 Method for prewarning aggression based on software defect and network aggression relation excavation
CN101710306A (en) * 2009-12-15 2010-05-19 中国科学院软件研究所 Method and system for detecting software reliability
CN101819617A (en) * 2010-05-06 2010-09-01 天津大学 Software defect based method for quantificationally estimating software credibility
CN102073823A (en) * 2011-02-25 2011-05-25 天津大学 Defect analysis based software creditability evaluating method
CN102136047A (en) * 2011-02-25 2011-07-27 天津大学 Software trustworthiness engineering method based on formalized and unified software model
CN103366123A (en) * 2013-05-07 2013-10-23 天津大学 Software risk assessment method based on defect analysis

Also Published As

Publication number Publication date
CN104008057B (en) 2017-12-15

Similar Documents

Publication Publication Date Title
Hsu A Bayesian robust detection of shift in the risk structure of stock market returns
Egbunike et al. Does green accounting matter to the profitability of firms? A canonical assessment
CN105447323A (en) Data abnormal fluctuations detecting method and apparatus
Ifeakachukwu et al. Capital inflows and exchange rate in Nigeria
Zhao et al. A robust skewed boxplot for detecting outliers in rainfall observations in real-time flood forecasting
CN109242746A (en) One-dimensional instantaneous point source pollution sources source tracing method based on emergency monitoring data
de Mast et al. Modeling and evaluating repeatability and reproducibility of ordinal classifications
Dang et al. A statistical approach for reconstructing natural streamflow series based on streamflow variation identification
CN104008057A (en) Code safety evaluating method based on defect analysis
Bahar et al. Forecasting model for crude oil price with structural break
Chebana Multivariate Frequency Analysis of Hydro-Meteorological Variables: A Copula-Based Approach
Tornoa et al. An early warning system on the propensity of survival and failure of non-life insurance firms in the philippines
Braimah et al. On the use of exponentially weighted moving average (Ewma) control chart in monitoring road traffic crashes
Siddiqui et al. Movement of Shariah indices in financial crisis period: Exploring evidences from national stock exchange of India
Graham et al. New statistical methods for the comparison and characterization of particle shape
Ding et al. Independent component analysis for redundant sensor validation
Formenti et al. The efficiency of Anderson-Darling test with limited sample size: an application to Backtesting Counterparty Credit Risk internal model
Fernández-Ponce et al. Testing exponentiality against NBUE distributions with an application in environmental extremes
Kim et al. New Empirical Evidence for the Fisher Relation: Integration and Short-run Instability
Baran-Gurgul Stationarity of maximum low-flow periods duration in the right-bank area of the Upper Vistula catchment–Mann-Kendall versus Spearman test
Syed et al. The Risk Analysis and Modeling of Byco Petroleum in Pakistan Using Extreme Value Theory
Biao et al. Influence of the long-range dependence in rainfall in modelling oueme river basin (Benin, West Africa)
Ozaee et al. Identify and Prioritize the Factors aFfecting the Process of Opportunity Recognition in the Field of Information Technology Banking Industry
Dutt et al. TESTING MULTIPLE FINANCIAL BUBBLES IN THE NASDAQ INDEX
Ford Reclassification and Investment: A Statistical Look at the 2016 Data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20160425

Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant after: State Grid Corporation of China

Applicant after: China Electric Power Research Institute

Applicant after: State Grid Smart Grid Institute

Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant before: State Grid Corporation of China

Applicant before: China Electric Power Research Institute

CB02 Change of applicant information

Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant after: State Grid Corporation of China

Applicant after: China Electric Power Research Institute

Applicant after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE

Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing

Applicant before: State Grid Corporation of China

Applicant before: China Electric Power Research Institute

Applicant before: State Grid Smart Grid Institute

COR Change of bibliographic data
GR01 Patent grant
GR01 Patent grant