=Paper=
{{Paper
|id=Vol-3309/paper21
|storemode=property
|title=Method and Technology for Ensuring the Software Security by Identifying and Classifying the Failures and Vulnerabilities
|pdfUrl=https://ceur-ws.org/Vol-3309/paper21.pdf
|volume=Vol-3309
|authors=Tetiana Hovorushchenko,Peter Popov,Dmytro Medzatyi,Yurii Voichur
|dblpUrl=https://dblp.org/rec/conf/ittap/HovorushchenkoP22
}}
==Method and Technology for Ensuring the Software Security by Identifying and Classifying the Failures and Vulnerabilities==
https://ceur-ws.org/Vol-3309/paper21.pdf
Method and Technology for Ensuring the Software Security by
Identifying and Classifying the Failures and Vulnerabilities
Tetiana Hovorushchenkoa, Peter Popovb, Dmytro Medzatyia and Yurii Voichura
a
Khmelnytskyi National University, Institutska str., 11, Khmelnytskyi, 29016, Ukraine
b
City University of London, Northampton Square, London, EC1V 0HB, United Kingdom
Abstract
The conducted literature review on known methods and technologies for providing the
software security and for identifying the failures and vulnerabilities of software showed that,
although the analyzed methods and technologies have great potential for the field of software
engineering, none of the known solutions are intended for identification and classification of
software failures and vulnerabilities. Therefore, it is necessary to develop a method for
ensuring the software security by identifying and classifying the failures and vulnerabilities, as
well as to design and implement a technology for ensuring the software security by identifying
and classifying the failures and vulnerabilities, which is the goal of this study. The developed
in this paper method for ensuring the software security by identifying and classifying the
failures and vulnerabilities provides a conclusion as to whether a failure occurred, and if a
failure occurred, its type is issued to the user. In addition, the developed method for ensuring
the software security by identifying and classifying the failures and vulnerabilities provides a
conclusion as to whether a feature is a vulnerability, and if the feature is a vulnerability, its
type is issued to the user. The paper also develops a technology for ensuring the software
security by identifying and classifying the failures and vulnerabilities, which provides a
conclusion on the presence or absence of software failure(s); conclusion on the presence or
absence of software vulnerability(s); conclusion about the type of failure and the type of
vulnerability in case of their presence, thanks to which the proposed technology is useful for
software users due to the identification and classification of failures and vulnerabilities.
Keywords 1
Software security, failure of software, vulnerability of software, identifying the failures and
vulnerabilities, classifying the failures and vulnerabilities.
1. Introduction
Modern software is a complex multifunctional product, during the creation of which errors,
unintentional software defects, and unprotected functions inevitably occur. In today's digital era,
software is widely adapted and has become an integral part of human society. Such widespread use of
software is associated with the use of large and critical data that inevitably needs protection. It is critical
to ensure that this software not only meets user needs or functional requirements, but it is equally
important to ensure that this software is secure. Creating the secure software is a complex process. It is
a process informally guided by common knowledge, best practices and undocumented expertise. In
general, software security can be considered as one of the most important issues in the field of software
development, as it can affect the performance of a software product through various technological
vulnerabilities and threats.
ITTAP’2022: 2nd International Workshop on Information Technologies: Theoretical and Applied Problems, November 22–24, 2022,
Ternopil, Ukraine
EMAIL: tat_yana@ukr.net (T. Hovorushchenko); p.t.popov@city.ac.uk (P. Popov); medza@ukr.net (D. Medzatyi); voichury@khmnu.edu.ua
(Y. Voichur)
ORCID: 0000-0002-7942-1857 (T. Hovorushchenko); 0000-0002-3434-5272 (P. Popov); 0000-0002-1879-2945 (D. Medzatyi); 0000-0003-
3085-7315 (Y. Voichur)
©️ 2022 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
� Software security is the property of certain software to function without various negative
consequences for a specific computer system. The reasons leading to a security breach can be different:
software failures, software vulnerabilities due to programmer errors and defects in programs.
Failure of software is an event characterized by software malfunction, as a result of which the
software stops performing its functions (in whole or in part) [1-5].
Vulnerability of software is a software flaw (software design flaw, programming error, use of
malicious software), when used, it is possible to intentionally violate the integrity of the software and
cause its incorrect operation; it is the software's inability to resist the implementation of a certain threat
or set of threats [6-10].
Thousands of new vulnerabilities are discovered every year, requiring companies to patch operating
systems and applications, as well as reconfigure security settings across their entire network
environment. To proactively address vulnerabilities before they can be exploited for a cyberattack,
organizations that take the security of their network environment seriously conduct vulnerability
management to ensure the highest level of security possible.
Detecting the vulnerability of software code is an important method of ensuring software security.
Today, as the size and complexity of software grows rapidly, vulnerabilities become more diverse and
harder to identify.
The main reasons for the appearance of vulnerabilities are:
1. Shared use of resources and simplification of information exchange between network nodes
2. Significant complication of software
3. Lack of complete information about the object and the use of search mechanisms
4. Unreliable data sources and a huge number of attackers
5. Low qualification of software users, especially in matters of information protection - the
software is unable to resist threats from attackers, if users under their influence unknowingly
perform destructive actions
6. Complexity of new technologies
7. The trend of combining data and program code, embedding program code (macros, scripts) into
documents
8. The lag in the development of the legal framework, standards from changes in information
processing methods and technologies
9. Lack of safe processes in the life cycle of software development
The rapid growth of computing power of computers and volumes of processed data, the expansion
of the range of tasks that are solved by software, make it difficult to carry out a full and detailed analysis
of possible vulnerabilities and exclude the conditions for their appearance.
Currently, many leading scientists have conducted a number of studies on improving software
security, but software vulnerabilities and failures still pose serious problems for software users,
manifesting in information leaks, information loss, leading to financial and reputational losses. So, for
example, due to software vulnerabilities, there was a leak of information in the form of access to 500
million records of Yahoo users [11]; the Equifax company lost information about 140 million people,
which led to financial losses of 575 million dollars of USA [12]; attackers gained access to 50 million
Facebook user profiles [13]; abduction of information about 600 thousand drivers and 57 million
accounts of users of the Uber service, which led to financial losses of 148.1 million dollars of USA
[14]; a hacker attack on Ukrainian government websites on January 14, 2022, caused by a vulnerability
in the October CMS website content management system [15].
All major software security approaches are aimed at preventing total software failure, but not at
identifying software failures and vulnerabilities. The success of software security approaches is only
possible due to the identification and reduction of the number of errors (currently, the density of errors
in software ranges from 2 to 100 errors per 1000 lines of code [16, 17]), therefore, the identification of
software failures and vulnerabilities is an urgent task at the moment.
2. Literature Review
Let’s conduct the literature review on known methods and technologies for providing the software
security and for identifying the failures and vulnerabilities of software – Table 1.
�Table 1
Literature review on known methods and technologies for providing the software security and for
identifying the failures and vulnerabilities of software
Method and/or technology Providing the Identifying the
software security failures and
vulnerabilities of
software
Threatened-based Software Security Evaluation yes no
method and Security Evaluation Assistant (SEA) tool
for improving the security evaluation process of
software with focus on existing threatened entities of
software and software threats [18]
Method for security reassurance of software yes no
increments to ensure producing acceptably secure-by
the business owner-software increments at the end of
each iteration [19]
Data-driven model for software security and methods yes no
for learning detailed software statistics while
providing differential privacy for its users [20]
Method for software security (CM-Sec) focusing on yes no
the end product by prioritizing countermeasures,
which provides an extension to attack trees and a
process for identification and prioritization of
countermeasures [21]
Q-learning method embedded as part of the software yes no
itself for providing the security mechanism that has
ability to learn by itself for development of a
temporary repair mechanism [22]
Methods, techniques, and best practice requirements yes no
engineering and management as an emerging cloud
service (SSREMaaES) and as a guideline on software
security as a service [23]
Methodology for minimizing software vulnerability for yes yes
enhancing its security implemented in the processes
of the software development life cycle [24]
Hierarchical software security case development yes no
method [25]
Security modeling and verification framework of yes no
embedded software based on semiformal and formal
methods ZMsec (Z-MARTE security model) [26]
SMASHUP: a toolchain for unified verification of yes no
software co-designs [27]
Method for identifying software security yes no
vulnerabilities from software requirement
specifications written in Structured Object-oriented
Formal Language [28]
Formal method for modeling software architectures yes no
and evaluating their quality attributes (include
security, dependability and performance)
quantitatively and in a unified manner [29]
�Model of Trustworthy Scrum (TS) enabling the security yes no
activities to cooperate with the agile methods and to
work in Scrum framework [30]
Software failure analysis method based on the system yes yes
reliability modeling with the System-Theoretic
Accident Modeling and Processes (STAMP) [31]
Using the pattern position distribution as features for no yes
detecting the software failure [32]
Taxonomy for identifying software failure modes, no yes
which provide input to the risk analysis of software-
intensive systems [33]
Cascade fault localization method and software tool yes yes
called CaFL for help of speed up labor-intensive
process of identification of the root cause of a
manifested failure via a combination of weakest
precondition computation and constraint solving [34]
Method, which the causes of failures detects by yes yes
conducting root cause analysis [35]
Failure Identification for Complex Mission Analysis yes yes
(FICMA) method provides both an overall failure
analysis on a system's functionality as well as a
mission-based failure analysis [36]
Failure prediction algorithm based on multi-layer yes yes
Bidirectional Long Short Term Memory (Bi-LSTM) [37]
A method for identifying software data flow yes yes
vulnerabilities based on the dendritic cell algorithm
and the improved convolutional neural network for
effectively solving the transmission errors in software
data flow [38]
Method based on the concept of mutual information yes yes
that detect and isolate software vulnerabilities at a
fine-grained level in both unsupervised and semi-
supervised contexts [39]
Pangr: an entire system for automatic vulnerability no yes
detection, exploitation, and patching [40]
Automated method for determining the code yes yes
evidence for the presence of vulnerabilities in retro
software versions [41]
Pattern-based vulnerability discovery approach based yes yes
on static analysis, machine learning, and graph mining
with a high focus on practical requirements [42]
Software source code vulnerability detection method yes yes
based on Convolution Neural Networks (CNN) and
Global Average Pooling (GAP) interpretability model [43]
VUDENC (Vulnerability Detection with Deep Learning yes yes
on a Natural Codebase): a deep learning-based
vulnerability detection tool that automatically learns
features of vulnerable code from a large and real-
world Python codebase [44]
� The conducted literature review on known methods and technologies for providing the software
security and for identifying the failures and vulnerabilities of software showed that, although the
analyzed methods and technologies have great potential for the field of software engineering, none of
the known solutions are intended for identification and classification of software failures and
vulnerabilities according to the rules for classifying the failures and to the rules for classifying the
vulnerabilities. Therefore, it is necessary to develop a method for ensuring the software security by
identifying and classifying the failures and vulnerabilities based on the developed by authors in [45]
rules for classifying the failures and the vulnerabilities, as well as to design and implement a technology
for ensuring the software security by identifying and classifying the failures and vulnerabilities, which
is the goal of this study.
3. Method and Technology for Ensuring the Software Security by Identifying
and Classifying the Failures and Vulnerabilities
Considering the rules for classifying the failures and vulnerabilities of software developed by the
authors in [45], let's develop questionnaires for collecting the information about failure(s) and
vulnerability(s) that occurred during the software's operation.
Questionnaire for collecting the information about failure(s):
1. Has the software operational (workable) state after termination of the operation of the software?
2. Was there a loss of data during the termination of the operation of the software?
Each of the questions in the questionnaire for collecting the information about the failure(s) can have
"yes" or "no" answer.
Rules for the classification of failures based on the analysis of answers to questions of questionnaire
for collecting the information about the failure(s):
1. If software user gives the answer "yes" to the first question of the questionnaire for collecting
the information about the failure(s) and the answer "no" to the second question of the
questionnaire for collecting the information about the failure(s), then the variable sf = 1
2. If software user gives the answer "yes" to the first question of the questionnaire for collecting
the information about the failure(s) and the answer "yes" to the second question of the
questionnaire for collecting the information about the failure(s), then the variable sf = 2
3. If software user gives the answer "no" to the first question of the questionnaire for collecting
the information about the failure(s), then the variable sf = 3
Questionnaire for collecting the information about vulnerability(s):
1. Did the software stop functioning for a time exceeding the specified threshold time during the
execution of a certain feature?
2. Has there been a loss of data completeness after performing a certain feature?
3. Has there been a data leak after performing a certain feature?
4. Did it become impossible to obtain the information permitted to the user after performing a
certain feature?
Each of the questions in the questionnaire for collecting the information about vulnerability(s) can
have "yes" or "no" answer.
Rules for the classification of vulnerabilities based on the analysis of answers to questions of
questionnaire for collecting the information about vulnerability(s):
1. If software user gives the answer "yes" to the first question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[1,1] = 1
2. If software user gives the answer "yes" to the second question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[1,2] = 1
3. If software user gives the answer "yes" to the third question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[1,3] = 1
4. If software user gives the answer "yes" to the fourth question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[1,4] = 1
Therefore, questionnaires for collecting the information about failure(s) and for collecting the
information about vulnerability(s), as well as rules for the classification of failures based on the analysis
of answers to questions of questionnaire for collecting the information about the failure(s) and rules for
�the classification of vulnerabilities based on the analysis of answers to questions of questionnaire for
collecting the information about vulnerability(s) have been developed. The developed rules make it
possible to identify and classify failure(s) and vulnerability(s) of software that occurred during the
software's operation.
Method for ensuring the software security by identifying and classifying the failures and
vulnerabilities consists of the following steps:
1. variable sf = 0; filling the first row of the sv matrix with zeros; filling in the second line of the
matrix sv in order to further form a conclusion about the type of vulnerability(s): sv[2,1] = "the
feature of the software is a vulnerability of correct operation"; sv[2,2] = “the feature of the
software is a vulnerability of integrity of information”; sv[2,3] = “the feature of the software
is a vulnerability of privacy of information”; sv[2,4] = “the feature of the software is the
vulnerability of the availability of information”
2. conducting the software user survey (using compiled questionnaires for collecting the
information about failure(s) and vulnerability(s))
3. analysis of the answers given by the user to the questions of questionnaire for collecting the
information about failure(s) using the rules for the classification of failures, and forming the
value of the variable sf
4. if sf=1, then the user is given the conclusion "the software failure is insignificant", otherwise,
if sf=2, the user is given the conclusion "the software failure is significant", otherwise if sf=3,
the user is given the conclusion "the software failure is critical", otherwise, if sf=0, the user is
given the conclusion "software failures did not occur"
5. analysis of the answers given by the user to the questions of questionnaire for collecting the
information about vulnerability(s) using the rules for the classification of vulnerabilities, and
filling the first row of the sv matrix
6. if sv[1,i]=1 (i=1..4), then the user is given the conclusion about the type(s) of vulnerability –
element sv[2,i] (i=1..4) of the sv matrix, otherwise, if all the elements of the first row of the sv
matrix are equal to 0, then the user is given the conclusion "the feature of the software is not a
vulnerability"
The developed method for ensuring the software security by identifying and classifying the failures
and vulnerabilities provides a conclusion as to whether a failure occurred, and if a failure occurred, its
type is issued to the user. In addition, the developed method for ensuring the software security by
identifying and classifying the failures and vulnerabilities provides a conclusion as to whether a feature
is a vulnerability, and if the feature is a vulnerability, its type is issued to the user.
The developed method is the basis for designing the technology for ensuring the software security
by identifying and classifying the failures and vulnerabilities – Fig. 1.
The developed technology for ensuring the software security by identifying and classifying the
failures and vulnerabilities provides a conclusion on the presence or absence of software failure(s);
conclusion on the presence or absence of software vulnerability(s); conclusion about the type of failure
and the type of vulnerability in case of their presence, thanks to which the proposed technology is useful
for software users due to the identification and classification of failures and vulnerabilities.
4. Results & Discussion
Let's consider the operation of the developed method and technology for ensuring the software
security by identifying and classifying the failures and vulnerabilities.
According to the first stage of the developed method for ensuring the software security by identifying
and classifying the failures and vulnerabilities, the variable sf and the elements of the first row of the sv
matrix were reset to zero, as well as the filling of the second row of the sv matrix.
According to the second stage of the developed method, a survey of the user of the software for
keeping accounting was carried out using compiled questionnaires for collecting the information about
failure(s) and vulnerability(s).
�Figure 1: Technology for ensuring the software security by identifying and classifying the failures and
vulnerabilities
According to the third stage of the developed method, the analysis of the answers given by the user
to the questions of the questionnaire for collecting the information about failure(s) was performed using
the rules for the classification of failures, and the formation of the value of the variable sf was
performed. Since the user of the software for keeping accounting gives the answer "yes" to the first
question of the questionnaire for collecting the information about failure(s) and answer "no" to the
second question of the questionnaire for collecting the information about failure(s), then the variable
sf = 1.
� According to the fourth stage of the developed method, since sf=1, the user is given the conclusion
"software failure is insignificant".
According to the fifth stage of the developed method for ensuring the software security by
identifying and classifying the failures and vulnerabilities, an analysis of the answers given by the user
to the questions of questionnaire for collecting the information about vulnerability(s) was performed
using the rules for the classification of vulnerabilities, and filling the first row of the sv matrix was
performed. The user of the software for keeping accounting answered "yes" to the first, third and fourth
questions, so the sv matrix looks like – Table 2.
Table 2
Matrix sv, which contains signs of the presence or absence of a software vulnerability, as well as the
type of vulnerability
І column ІІ column ІІІ column IV column
І row 1 0 1 1
ІІ row the feature of the the feature of the the feature of the the feature of the
software is a software is a software is a software is the
vulnerability of vulnerability of vulnerability of vulnerability of the
correct operation integrity of privacy of availability of
information information information
According to the sixth stage of the developed method, since sv[1,1]=1, the user is given the
conclusion about the type of vulnerability – "The feature of the software is a vulnerability of correct
operation" (element sv[2,1] of the sv matrix). Since sv[1,3]=1, the user is given the conclusion about
the type of vulnerability – "The feature of the software is a vulnerability of privacy of information"
(element sv[2,3] of the sv matrix). Since sv[1,4]=1, the user is given the conclusion about the type of
vulnerability – "The feature of the software is the vulnerability of the availability of information"
(element sv[2,4] of the sv matrix). Therefore, the considered feature of the software is the vulnerability
of correct operation, privacy and availability of information.
The conducted experiment with the applying the developed method and technology for ensuring the
software security by identifying and classifying the failures and vulnerabilities for software for keeping
accounting showed that, based on a survey of the user of software for keeping accounting, a conclusion
was given regarding the presence of an insignificant failure of the software for keeping accounting, as
well as a conclusion regarding the presence of a vulnerability of the correct work, privacy and
availability of information in the considered software for keeping accounting.
5. Conclusions
All major software security approaches are aimed at preventing total software failure, but not at
identifying software failures and vulnerabilities. The success of software security approaches is only
possible due to the identification and reduction of the number of errors, therefore, the identification of
software failures and vulnerabilities is an urgent task at the moment.
The conducted literature review on known methods and technologies for providing the software
security and for identifying the failures and vulnerabilities of software showed that, although the
analyzed methods and technologies have great potential for the field of software engineering, none of
the known solutions are intended for identification and classification of software failures and
vulnerabilities. Therefore, it is necessary to develop a method for ensuring the software security by
identifying and classifying the failures and vulnerabilities, as well as to design and implement a
technology for ensuring the software security by identifying and classifying the failures and
vulnerabilities, which is the goal of this study.
The questionnaires for collecting the information about failure(s) and for collecting the information
about vulnerability(s), as well as rules for the classification of failures based on the analysis of answers
to questions of questionnaire for collecting the information about the failure(s) and rules for the
classification of vulnerabilities based on the analysis of answers to questions of questionnaire for
�collecting the information about vulnerability(s) have been developed in this paper. The developed rules
make it possible to identify and classify failure(s) and vulnerability(s) of software that occurred during
the software's operation.
The developed in this paper method for ensuring the software security by identifying and classifying
the failures and vulnerabilities provides a conclusion as to whether a failure occurred, and if a failure
occurred, its type is issued to the user. In addition, the developed method for ensuring the software
security by identifying and classifying the failures and vulnerabilities provides a conclusion as to
whether a feature is a vulnerability, and if the feature is a vulnerability, its type is issued to the user.
The paper also develops a technology for ensuring the software security by identifying and
classifying the failures and vulnerabilities, which provides a conclusion on the presence or absence of
software failure(s); conclusion on the presence or absence of software vulnerability(s); conclusion about
the type of failure and the type of vulnerability in case of their presence, thanks to which the proposed
technology is useful for software users due to the identification and classification of failures and
vulnerabilities.
The conducted experiment with the applying the developed method and technology for ensuring the
software security by identifying and classifying the failures and vulnerabilities for software for keeping
accounting showed that, based on a survey of the user of software for keeping accounting, a conclusion
was given regarding the presence of an insignificant failure of the software for keeping accounting, as
well as a conclusion regarding the presence of a vulnerability of the correct work, privacy and
availability of information in the considered software for keeping accounting.
6. References
[1] What is Software Failure, 2021. URL: https://www.igi-global.com/dictionary/investigation-of-
software-reliability-prediction-using-statistical-and-machine-learning-methods/59093.
[2] O. Pomorova, T. Hovorushchenko. Research of Artificial Neural Network's Component of
Software Quality Evaluation and Prediction Method, in: Proceedings of the 2011 IEEE 6-th
International Conference on Intelligent Data Acquisition and Advanced Computing Systems:
Technology and Applications, IDAACS-2011, Prague, 2011, vol.2, pp. 959-962. doi:
10.1109/IDAACS.2011.6072916.
[3] T. Hovorushchenko, O.Pomorova. Methodology of Evaluating the Sufficiency of Information on
Quality in the Software Requirements Specifications, in: Proceedings of 2018 IEEE 9th
International Conference on Dependable Systems, Services and Technologies, DeSSerT-2018,
2018, pp. 385-389. doi: 10.1109/DESSERT.2018.8409161.
[4] T. Hovorushchenko. Methodology of Evaluating the Sufficiency of Information for Software
Quality Assessment According to ISO 25010. Journal of Information and Organizational Sciences
42 1 (2018) 63-85. doi: 10.31341/jios.42.1.4.
[5] T. Hovorushchenko. Information Technology for Assurance of Veracity of Quality Information in
the Software Requirements Specification. Advances in Intelligent Systems and Computing 689
(2018) 166–185. doi: 10.1007/978-3-319-70581-1_12.
[6] M. Howard, D. LeBlanc, J. Viega, 24 Deadly Sins of Software Security: Programming Flaws and
How to Fix Them, McGraw-Hill Education, Redmond, 2010.
[7] T. Hovorushchenko, O. Pavlova, D. Medzatyi. Ontology-Based Intelligent Agent for
Determination of Sufficiency of Metric Information in the Software Requirements. Advances in
Intelligent Systems and Computing 1020 (2020) 447-460. doi: 10.1007/978-3-030-26474-1_32.
[8] T. Hovorushchenko, O. Pavlova, M. Bodnar. Development of an Intelligent Agent for Analysis of
Nonfunctional Characteristics in Specifications of Software Requirements. Eastern-European
Journal of Enterprise Technologies 1 2(97) (2019) 6-17. doi: 10.15587/1729-4061.2019.154074.
[9] T. Hovorushchenko, O. Pavlova. Method of Activity of Ontology-Based Intelligent Agent for
Evaluating the Initial Stages of the Software Lifecycle. Advances in Intelligent Systems and
Computing 836 (2019) 169-178. doi: 10.1007/978-3-319-97885-7_17.
[10] T. Hovorushchenko, O. Pavlova. Evaluating the Software Requirements Specifications Using
Ontology-Based Intelligent Agent, in: Proceedings of 2018 IEEE International Scientific and
� Technical Conference “Computer Science and Information Technologies”, СSIT-2018, Lviv,
2018, vol.1, pp. 215-218. doi: 10.1109/STC-CSIT.2018.8526730.
[11] Yahoo says 500 million accounts stolen, 2016. URL:
https://money.cnn.com/2016/09/22/technology/yahoo-data-breach.
[12] Equifax Made Major Errors That Led to Hack, Ex-CEO Concedes, 2017. URL:
https://www.bloomberg.com/news/articles/2017-10-02/ex-equifax-ceo-says-human-tech-failures-
allowed-breach-to-occur.
[13] Facebook Says Breach Affected About 50 Million Accounts, 2018. URL:
https://www.bloomberg.com/news/articles/2018-09-28/facebook-says-security-breach-affected-
about-50-million-accounts.
[14] A.G. Underwood Announces Record $148 Million Settlement With Uber Over 2016 Data Breach,
2018. URL: https://ag.ny.gov/press-release/2018/ag-underwood-announces-record-148-million-
settlement-uber-over-2016-data-breach.
[15] It could have been prevented: it became known why government websites "went down", 2022.
URL: https://www.epravda.com.ua/news/2022/01/14/681448/.
[16] S. McConnell, Code complete, Microsoft Press, Redmond, 2013.
[17] T. Ostrand, E. Weyuker, Predicting bugs in large industrial software systems. Lecture Notes in
Computer Science 7171 (2013) 71-93. doi: 10.1007/978-3-642-36054-1_3.
[18] M. Razian, H. Sangchi. A Threatened-based Software Security Evaluation Method, in:
Proceedings of 11th International ISC Conference on Information Security and Cryptology,
ISCISC-2014, Tehran, 2014, pp. 120-125. doi: 10.1109/ISCISC.2014.6994034.
[19] L. ben Othmane, P. Angin, H. Weffers, B. Bhargava. Extending the Agile Development Process
to Develop Acceptably Secure Software. IEEE Transactions on Dependable and Secure
Computing 11 6 (2015) 497-509. doi: 10.1109/TDSC.2014.2298011.
[20] U. Erlingsson. Data-driven Software Security: Models and Methods, in: Proceedings of 29th IEEE
Computer Security Foundations Symposium, CSF-2017, Lisbon, 2017, pp. 9-15. doi:
10.1109/CSF.2016.40.
[21] D. Baca, K. Petersen. Prioritizing Countermeasures through the Countermeasure Method for
Software Security (CM-Sec). Lecture Notes in Computer Science 6156 (2010) 176-190. doi:
10.1007/978-3-642-13792-1_15.
[22] A. Randrianasolo, L. Pyeatt. Q-Learning: From Computer Network Security To Software Security,
in: Proceedings of 13th International Conference on Machine Learning and Applications, ICMLA-
2014, Detroit, 2014, pp. 257-262. doi: 10.1109/ICMLA.2014.47.
[23] M. Ramachandran. Software security requirements management as an emerging cloud computing
service. International Journal of Information Management 36 4 (2016) 580-590. doi:
10.1016/j.ijinfomgt.2016.03.008.
[24] S. Farhan, M. Mostafa. A Methodology for Enhancing Software Security During Development
Processes, in: Proceedings of 21st Saudi-Computer-Society National Computer Conference, NCC-
2018, Riyadh, 2018, pp. 1-6. doi: 10.1109/NCG.2018.8593135.
[25] B. Xu, M. Lu, D. Zhang. A Layered Argument Strategy for Software Security Case Development,
in: Proceedings of 28th IEEE International Symposium on Software Reliability Engineering,
Toulouse, 2017, pp. 331-338. doi: 10.1109/ISSREW.2017.52.
[26] X. Hu, Y. Zhuang, F. Zhang. A security modeling and verification method of embedded software
based on Z and MARTE. Computers & Security 88 (2020) No 10615. doi:
10.1016/j.cose.2019.101615.
[27] F. Lugou, L. Apvrille, A. Francillon. SMASHUP: a toolchain for unified verification of
hardware/software co-designs. Journal of Cryptographic Engineering 7 1 (2017) 63-74. doi:
10.1007/s13389-016-0145-2.
[28] B. Emeka, S. Liu. Assessing and Extracting Software Security Vulnerabilities in SOFL Formal
Specifications, in: Proceedings of 17th Annual International Conference on Electronics,
Information, and Communication, ICEIC-2018, Honolulu, 2018, pp. 374-377. doi:
10.23919/ELINFOCOM.2018.8330613.
[29] A. Sedaghatbaf, M. Azgomi. Software Architecture Modeling and Evaluation Based on Stochastic
Activity Networks. Lecture Notes in Computer Science 939 (2015) 46-53. doi: 10.1007/978-3-
319-24644-4_3.
�[30] G. Koc, M. Aydos, M. Tekerek. Evaluation of Trustworthy Scrum Employment for Agile Software
Development based on the Views of Software Developers, in: Proceedings of 4th International
Conference on Computer Science and Engineering, UBMK-2019, Samsun, 2019, pp. 63-67. doi:
10.1109/UBMK.2019.8907213.
[31] J. Song, H. Zhao, X. Li, Y. Yang, C. Liu, H. Li. A new software failure analysis method based on
the system reliability modeling, in: Proceedings of IEEE 8th Joint International Information
Technology and Artificial Intelligence Conference, ITAIC-2019, Chongqing, 2019, pp. 1143-
1149. doi: 10.1109/ITAIC.2019.8785794.
[32] C. Li, Z. Chen, H. Du, H. Wang, G. Wilkie, J. Augusto, J. Liu. Using Pattern Position Distribution
for Software Failure Detection. International Journal of Computational Intelligence Systems 6 2
(2013) 234-243. doi: 10.1080/18756891.2013.768442.
[33] C. Thieme, A. Mosleh, I. Utne, J. Hegde. Incorporating software failure in risk analysis - Part 1:
Software functional failure mode classification. Reliability Engineering & System Safety 197
(2020) No 106803. doi: 10.1016/j.ress.2020.106803.
[34] Q. Yi, Z. Yang, J. Liu, C. Zhao, C. Wang. Explaining Software Failures by Cascade Fault
Localization. ACM Transactions on Design Automation of Electronic Systems 20 3 (2015) No 41.
doi: 10.1145/2738038.
[35] T. Lehtinen, M. Mantyla, J. Vanhanen, J. Itkonen, C. Lassenius. Perceived causes of software
project failures - An analysis of their relationships. Information and Software Technology 56 6
(2014) 623-643. doi: 10.1016/j.infsof.2014.01.015.
[36] C. DeStefano, D. Jensen. Failure Identification for Mission Analysis for Complex Systems, in:
Proceedings of ASME International Design Engineering Technical Conferences and Computers
and Information in Engineering Conference, Boston, 2015, No V01AT02A044. doi:
10.1115/DETC2015-47599.
[37] J. Gao, H. Wang, H. Shen. Task Failure Prediction in Cloud Data Centers Using Deep Learning.
IEEE Transactions on Services Computing 15 3 (2022) 1411-1422. doi:
10.1109/TSC.2020.2993728.
[38] C. Luo, W. Bo, H. Kun, Y. Lou. Study on Software Vulnerability Characteristics and Its
Identification Method. Mathematical Problems in Engineering (2020) No 1583132. doi:
10.1155/2020/1583132.
[39] V. Nguyen, T. Le, O. De Vel, P. Montague, J. Grundy, D. Phung. Information-theoretic Source
Code Vulnerability Highlighting, in: Proceedings of International Joint Conference on Neural
Networks, IJCNN-2021, Electr. Network, 2021. doi: 10.1109/IJCNN52387.2021.9533907.
[40] D. Liu, J. Wang, Z. Rong, X. Mi, F. Gai, T. Yong, B. Wang. Pangr: A Behavior-based Automatic
Vulnerability Detection and Exploitation Framework, in: Proceedings of 17th IEEE International
Conference on Trust, Security and Privacy in Computing and Communications, 12th IEEE
International Conference on Big Data Science and Engineering, New York, 2018, pp. 705-712.
doi: 10.1109/TrustCom/BigDataSE.2018.00103.
[41] V. Nguyen, S. Dashevskyi, F. Massacci. An automatic method for assessing the versions affected
by a vulnerability. Empirical Software Engineering 21 6 (2016) 2268-2297. doi: 10.1007/s10664-
015-9408-2.
[42] F. Yamaguchi. Pattern-based methods for vulnerability discovery. IT - Information Technology 59
2 (2017) 101-106. doi: 10.1515/itit-2016-0037.
[43] J. Wang, H. Kuang, R. Li, Y. Su. Software Source Code Vulnerability Detection Based on CNN-
GAP Interpretability Model. Journal of Electronics & Information Technology 44 7 (2022) 2568-
2575. doi: 10.11999/JEIT210412.
[44] L. Wartschinski, Y. Noller, T. Vogel, T. Kehrer, L. Grunske. VUDENC: Vulnerability Detection
with Deep Learning on a Natural Codebase for Python. Information and Software Technology 144
(2022) No 106809. doi: 10.1016/j.infsof.2021.106809.
[45] T. Hovorushchenko. Criteria and Rules for Classification of Software Failures and Vulnerabilities.
CEUR-WS 3039 (2021) 217-224.
�