<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta>
      <journal-title-group>
        <journal-title>UBMK.</journal-title>
      </journal-title-group>
    </journal-meta>
    <article-meta>
      <article-id pub-id-type="doi">10.1109/UBMK.2019.8907213</article-id>
      <title-group>
        <article-title>Method and Technology for Ensuring the Software Security by Identifying and Classifying the Failures and Vulnerabilities</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Tetiana Hovorushchenko</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Peter Popov</string-name>
          <email>p.t.popov@city.ac.uk</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Dmytro Medzatyi</string-name>
          <email>medza@ukr.net</email>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Yurii Voichur</string-name>
          <email>voichury@khmnu.edu.ua</email>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="editor">
          <string-name>Ternopil, Ukraine</string-name>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>City University of London</institution>
          ,
          <addr-line>Northampton Square, London, EC1V 0HB</addr-line>
          ,
          <country country="UK">United Kingdom</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Khmelnytskyi National University</institution>
          ,
          <addr-line>Institutska str., 11, Khmelnytskyi, 29016</addr-line>
          ,
          <country country="UA">Ukraine</country>
        </aff>
      </contrib-group>
      <pub-date>
        <year>2019</year>
      </pub-date>
      <volume>8907213</volume>
      <issue>106803</issue>
      <fpage>0000</fpage>
      <lpage>0002</lpage>
      <abstract>
        <p>The conducted literature review on known methods and technologies for providing the software security and for identifying the failures and vulnerabilities of software showed that, although the analyzed methods and technologies have great potential for the field of software engineering, none of the known solutions are intended for identification and classification of software failures and vulnerabilities. Therefore, it is necessary to develop a method for ensuring the software security by identifying and classifying the failures and vulnerabilities, as well as to design and implement a technology for ensuring the software security by identifying and classifying the failures and vulnerabilities, which is the goal of this study. The developed in this paper method for ensuring the software security by identifying and classifying the failures and vulnerabilities provides a conclusion as to whether a failure occurred, and if a failure occurred, its type is issued to the user. In addition, the developed method for ensuring the software security by identifying and classifying the failures and vulnerabilities provides a conclusion as to whether a feature is a vulnerability, and if the feature is a vulnerability, its type is issued to the user. The paper also develops a technology for ensuring the software security by identifying and classifying the failures and vulnerabilities, which provides a conclusion on the presence or absence of software failure(s); conclusion on the presence or absence of software vulnerability(s); conclusion about the type of failure and the type of vulnerability in case of their presence, thanks to which the proposed technology is useful for software users due to the identification and classification of failures and vulnerabilities. Software security, failure of software, vulnerability of software, identifying the failures and</p>
      </abstract>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>-</title>
      <p>vulnerabilities, classifying the failures and vulnerabilities.</p>
    </sec>
    <sec id="sec-2">
      <title>1. Introduction</title>
      <p>Modern software is a complex multifunctional product, during the creation of which errors,
unintentional software defects, and unprotected functions inevitably occur. In today's digital era,
software is widely adapted and has become an integral part of human society. Such widespread use of
software is associated with the use of large and critical data that inevitably needs protection. It is critical
to ensure that this software not only meets user needs or functional requirements, but it is equally
important to ensure that this software is secure. Creating the secure software is a complex process. It is
a process informally guided by common knowledge, best practices and undocumented expertise. In
general, software security can be considered as one of the most important issues in the field of software
development, as it can affect the performance of a software product through various technological
vulnerabilities and threats.</p>
      <p>2022 Copyright for this paper by its authors.</p>
      <p>Software security is the property of certain software to function without various negative
consequences for a specific computer system. The reasons leading to a security breach can be different:
software failures, software vulnerabilities due to programmer errors and defects in programs.</p>
      <p>
        Failure of software is an event characterized by software malfunction, as a result of which the
software stops performing its functions (in whole or in part) [
        <xref ref-type="bibr" rid="ref1 ref2 ref3 ref4 ref5">1-5</xref>
        ].
      </p>
      <p>
        Vulnerability of software is a software flaw (software design flaw, programming error, use of
malicious software), when used, it is possible to intentionally violate the integrity of the software and
cause its incorrect operation; it is the software's inability to resist the implementation of a certain threat
or set of threats [
        <xref ref-type="bibr" rid="ref10 ref6 ref7 ref8 ref9">6-10</xref>
        ].
      </p>
      <p>Thousands of new vulnerabilities are discovered every year, requiring companies to patch operating
systems and applications, as well as reconfigure security settings across their entire network
environment. To proactively address vulnerabilities before they can be exploited for a cyberattack,
organizations that take the security of their network environment seriously conduct vulnerability
management to ensure the highest level of security possible.</p>
      <p>Detecting the vulnerability of software code is an important method of ensuring software security.
Today, as the size and complexity of software grows rapidly, vulnerabilities become more diverse and
harder to identify.</p>
      <p>The main reasons for the appearance of vulnerabilities are:
1. Shared use of resources and simplification of information exchange between network nodes
2. Significant complication of software
3. Lack of complete information about the object and the use of search mechanisms
4. Unreliable data sources and a huge number of attackers
5. Low qualification of software users, especially in matters of information protection - the
software is unable to resist threats from attackers, if users under their influence unknowingly
perform destructive actions
6. Complexity of new technologies
7. The trend of combining data and program code, embedding program code (macros, scripts) into
documents
8. The lag in the development of the legal framework, standards from changes in information
processing methods and technologies
9. Lack of safe processes in the life cycle of software development</p>
      <p>The rapid growth of computing power of computers and volumes of processed data, the expansion
of the range of tasks that are solved by software, make it difficult to carry out a full and detailed analysis
of possible vulnerabilities and exclude the conditions for their appearance.</p>
      <p>Currently, many leading scientists have conducted a number of studies on improving software
security, but software vulnerabilities and failures still pose serious problems for software users,
manifesting in information leaks, information loss, leading to financial and reputational losses. So, for
example, due to software vulnerabilities, there was a leak of information in the form of access to 500
million records of Yahoo users [11]; the Equifax company lost information about 140 million people,
which led to financial losses of 575 million dollars of USA [12]; attackers gained access to 50 million
Facebook user profiles [13]; abduction of information about 600 thousand drivers and 57 million
accounts of users of the Uber service, which led to financial losses of 148.1 million dollars of USA
[14]; a hacker attack on Ukrainian government websites on January 14, 2022, caused by a vulnerability
in the October CMS website content management system [15].</p>
      <p>All major software security approaches are aimed at preventing total software failure, but not at
identifying software failures and vulnerabilities. The success of software security approaches is only
possible due to the identification and reduction of the number of errors (currently, the density of errors
in software ranges from 2 to 100 errors per 1000 lines of code [16, 17]), therefore, the identification of
software failures and vulnerabilities is an urgent task at the moment.</p>
    </sec>
    <sec id="sec-3">
      <title>2. Literature Review</title>
      <p>Let’s conduct the literature review on known methods and technologies for providing the software
security and for identifying the failures and vulnerabilities of software – Table 1.</p>
      <sec id="sec-3-1">
        <title>Providing the software security</title>
      </sec>
      <sec id="sec-3-2">
        <title>Threatened-based Software Security Evaluation</title>
        <p>method and Security Evaluation Assistant (SEA) tool
for improving the security evaluation process of
software with focus on existing threatened entities of
software and software threats [18]</p>
      </sec>
      <sec id="sec-3-3">
        <title>Method for security reassurance of software increments to ensure producing acceptably secure-by the business owner-software increments at the end of each iteration [19]</title>
      </sec>
      <sec id="sec-3-4">
        <title>Data-driven model for software security and methods</title>
        <p>for learning detailed software statistics while
providing differential privacy for its users [20]</p>
      </sec>
      <sec id="sec-3-5">
        <title>Method for software security (CM-Sec) focusing on</title>
        <p>the end product by prioritizing countermeasures,
which provides an extension to attack trees and a
process for identification and prioritization of
countermeasures [21]</p>
      </sec>
      <sec id="sec-3-6">
        <title>Q-learning method embedded as part of the software itself for providing the security mechanism that has ability to learn by itself for development of a temporary repair mechanism [22]</title>
      </sec>
      <sec id="sec-3-7">
        <title>Methods, techniques, and best practice requirements engineering and management as an emerging cloud service (SSREMaaES) and as a guideline on software security as a service [23]</title>
      </sec>
      <sec id="sec-3-8">
        <title>Methodology for minimizing software vulnerability for</title>
        <p>enhancing its security implemented in the processes
of the software development life cycle [24]</p>
      </sec>
      <sec id="sec-3-9">
        <title>Hierarchical software security case development method [25]</title>
      </sec>
      <sec id="sec-3-10">
        <title>Security modeling and verification framework of</title>
        <p>embedded software based on semiformal and formal
methods ZMsec (Z-MARTE security model) [26]</p>
      </sec>
      <sec id="sec-3-11">
        <title>SMASHUP: a toolchain for unified verification of software co-designs [27]</title>
      </sec>
      <sec id="sec-3-12">
        <title>Method for identifying software security</title>
        <p>vulnerabilities from software requirement
specifications written in Structured Object-oriented</p>
      </sec>
      <sec id="sec-3-13">
        <title>Formal Language [28]</title>
        <p>Formal method for modeling software architectures
and evaluating their quality attributes (include
security, dependability and performance)
quantitatively and in a unified manner [29]
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes</p>
        <p>Identifying the</p>
        <p>failures and
vulnerabilities of
software
no
no
no
no
no
no
yes
no
no
no
no
no</p>
      </sec>
      <sec id="sec-3-14">
        <title>Model of Trustworthy Scrum (TS) enabling the security activities to cooperate with the agile methods and to work in Scrum framework [30]</title>
      </sec>
      <sec id="sec-3-15">
        <title>Software failure analysis method based on the system</title>
        <p>reliability modeling with the System-Theoretic</p>
      </sec>
      <sec id="sec-3-16">
        <title>Accident Modeling and Processes (STAMP) [31]</title>
      </sec>
      <sec id="sec-3-17">
        <title>Using the pattern position distribution as features for detecting the software failure [32]</title>
      </sec>
      <sec id="sec-3-18">
        <title>Taxonomy for identifying software failure modes, which provide input to the risk analysis of softwareintensive systems [33]</title>
      </sec>
      <sec id="sec-3-19">
        <title>Cascade fault localization method and software tool</title>
        <p>called CaFL for help of speed up labor-intensive
process of identification of the root cause of a
manifested failure via a combination of weakest
precondition computation and constraint solving [34]</p>
      </sec>
      <sec id="sec-3-20">
        <title>Method, which the causes of failures detects by</title>
        <p>conducting root cause analysis [35]</p>
      </sec>
      <sec id="sec-3-21">
        <title>Failure Identification for Complex Mission Analysis (FICMA) method provides both an overall failure analysis on a system's functionality as well as a mission-based failure analysis [36]</title>
      </sec>
      <sec id="sec-3-22">
        <title>Failure prediction algorithm based on multi-layer</title>
      </sec>
      <sec id="sec-3-23">
        <title>Bidirectional Long Short Term Memory (Bi-LSTM) [37]</title>
      </sec>
      <sec id="sec-3-24">
        <title>A method for identifying software data flow</title>
        <p>vulnerabilities based on the dendritic cell algorithm
and the improved convolutional neural network for
effectively solving the transmission errors in software
data flow [38]</p>
      </sec>
      <sec id="sec-3-25">
        <title>Method based on the concept of mutual information that detect and isolate software vulnerabilities at a fine-grained level in both unsupervised and semisupervised contexts [39]</title>
      </sec>
      <sec id="sec-3-26">
        <title>Pangr: an entire system for automatic vulnerability</title>
        <p>detection, exploitation, and patching [40]</p>
      </sec>
      <sec id="sec-3-27">
        <title>Automated method for determining the code evidence for the presence of vulnerabilities in retro software versions [41]</title>
      </sec>
      <sec id="sec-3-28">
        <title>Pattern-based vulnerability discovery approach based</title>
        <p>on static analysis, machine learning, and graph mining
with a high focus on practical requirements [42]</p>
      </sec>
      <sec id="sec-3-29">
        <title>Software source code vulnerability detection method</title>
        <p>based on Convolution Neural Networks (CNN) and</p>
      </sec>
      <sec id="sec-3-30">
        <title>Global Average Pooling (GAP) interpretability model [43]</title>
        <p>VUDENC (Vulnerability Detection with Deep Learning</p>
        <p>on a Natural Codebase): a deep learning-based
vulnerability detection tool that automatically learns
features of vulnerable code from a large and
realworld Python codebase [44]
yes
yes
no
no
yes
yes
yes
yes
yes
yes
no
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes</p>
        <p>The conducted literature review on known methods and technologies for providing the software
security and for identifying the failures and vulnerabilities of software showed that, although the
analyzed methods and technologies have great potential for the field of software engineering, none of
the known solutions are intended for identification and classification of software failures and
vulnerabilities according to the rules for classifying the failures and to the rules for classifying the
vulnerabilities. Therefore, it is necessary to develop a method for ensuring the software security by
identifying and classifying the failures and vulnerabilities based on the developed by authors in [45]
rules for classifying the failures and the vulnerabilities, as well as to design and implement a technology
for ensuring the software security by identifying and classifying the failures and vulnerabilities, which
is the goal of this study.
3. Method and Technology for Ensuring the Software Security by Identifying
and Classifying the Failures and Vulnerabilities</p>
        <p>Considering the rules for classifying the failures and vulnerabilities of software developed by the
authors in [45], let's develop questionnaires for collecting the information about failure(s) and
vulnerability(s) that occurred during the software's operation.</p>
        <p>Questionnaire for collecting the information about failure(s):
1. Has the software operational (workable) state after termination of the operation of the software?
2. Was there a loss of data during the termination of the operation of the software?
Each of the questions in the questionnaire for collecting the information about the failure(s) can have
"yes" or "no" answer.</p>
        <p>Rules for the classification of failures based on the analysis of answers to questions of questionnaire
for collecting the information about the failure(s):
1. If software user gives the answer "yes" to the first question of the questionnaire for collecting
the information about the failure(s) and the answer "no" to the second question of the
questionnaire for collecting the information about the failure(s), then the variable sf = 1
2. If software user gives the answer "yes" to the first question of the questionnaire for collecting
the information about the failure(s) and the answer "yes" to the second question of the
questionnaire for collecting the information about the failure(s), then the variable sf = 2
3. If software user gives the answer "no" to the first question of the questionnaire for collecting
the information about the failure(s), then the variable sf = 3
Questionnaire for collecting the information about vulnerability(s):
1. Did the software stop functioning for a time exceeding the specified threshold time during the
execution of a certain feature?
2. Has there been a loss of data completeness after performing a certain feature?
3. Has there been a data leak after performing a certain feature?
4. Did it become impossible to obtain the information permitted to the user after performing a
certain feature?</p>
        <p>Each of the questions in the questionnaire for collecting the information about vulnerability(s) can
have "yes" or "no" answer.</p>
        <p>
          Rules for the classification of vulnerabilities based on the analysis of answers to questions of
questionnaire for collecting the information about vulnerability(s):
1. If software user gives the answer "yes" to the first question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[
          <xref ref-type="bibr" rid="ref1 ref1">1,1</xref>
          ] = 1
2. If software user gives the answer "yes" to the second question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[
          <xref ref-type="bibr" rid="ref1 ref2">1,2</xref>
          ] = 1
3. If software user gives the answer "yes" to the third question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[
          <xref ref-type="bibr" rid="ref1 ref3">1,3</xref>
          ] = 1
4. If software user gives the answer "yes" to the fourth question of the questionnaire for collecting
the information about vulnerability(s), then the element of the matrix sv[
          <xref ref-type="bibr" rid="ref1 ref4">1,4</xref>
          ] = 1
        </p>
        <p>Therefore, questionnaires for collecting the information about failure(s) and for collecting the
information about vulnerability(s), as well as rules for the classification of failures based on the analysis
of answers to questions of questionnaire for collecting the information about the failure(s) and rules for
the classification of vulnerabilities based on the analysis of answers to questions of questionnaire for
collecting the information about vulnerability(s) have been developed. The developed rules make it
possible to identify and classify failure(s) and vulnerability(s) of software that occurred during the
software's operation.</p>
        <p>
          Method for ensuring the software security by identifying and classifying the failures and
vulnerabilities consists of the following steps:
1. variable sf = 0; filling the first row of the sv matrix with zeros; filling in the second line of the
matrix sv in order to further form a conclusion about the type of vulnerability(s): sv[
          <xref ref-type="bibr" rid="ref1 ref2">2,1</xref>
          ] = "the
feature of the software is a vulnerability of correct operation"; sv[
          <xref ref-type="bibr" rid="ref2 ref2">2,2</xref>
          ] = “the feature of the
software is a vulnerability of integrity of information”; sv[
          <xref ref-type="bibr" rid="ref2 ref3">2,3</xref>
          ] = “the feature of the software
is a vulnerability of privacy of information”; sv[
          <xref ref-type="bibr" rid="ref2 ref4">2,4</xref>
          ] = “the feature of the software is the
vulnerability of the availability of information”
2. conducting the software user survey (using compiled questionnaires for collecting the
information about failure(s) and vulnerability(s))
3. analysis of the answers given by the user to the questions of questionnaire for collecting the
information about failure(s) using the rules for the classification of failures, and forming the
value of the variable sf
4. if sf=1, then the user is given the conclusion "the software failure is insignificant", otherwise,
if sf=2, the user is given the conclusion "the software failure is significant", otherwise if sf=3,
the user is given the conclusion "the software failure is critical", otherwise, if sf=0, the user is
given the conclusion "software failures did not occur"
5. analysis of the answers given by the user to the questions of questionnaire for collecting the
information about vulnerability(s) using the rules for the classification of vulnerabilities, and
filling the first row of the sv matrix
6. if sv[1,i]=1 (i=1..4), then the user is given the conclusion about the type(s) of vulnerability –
element sv[2,i] (i=1..4) of the sv matrix, otherwise, if all the elements of the first row of the sv
matrix are equal to 0, then the user is given the conclusion "the feature of the software is not a
vulnerability"
        </p>
        <p>The developed method for ensuring the software security by identifying and classifying the failures
and vulnerabilities provides a conclusion as to whether a failure occurred, and if a failure occurred, its
type is issued to the user. In addition, the developed method for ensuring the software security by
identifying and classifying the failures and vulnerabilities provides a conclusion as to whether a feature
is a vulnerability, and if the feature is a vulnerability, its type is issued to the user.</p>
        <p>The developed method is the basis for designing the technology for ensuring the software security
by identifying and classifying the failures and vulnerabilities – Fig. 1.</p>
        <p>The developed technology for ensuring the software security by identifying and classifying the
failures and vulnerabilities provides a conclusion on the presence or absence of software failure(s);
conclusion on the presence or absence of software vulnerability(s); conclusion about the type of failure
and the type of vulnerability in case of their presence, thanks to which the proposed technology is useful
for software users due to the identification and classification of failures and vulnerabilities.</p>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>4. Results &amp; Discussion</title>
      <p>Let's consider the operation of the developed method and technology for ensuring the software
security by identifying and classifying the failures and vulnerabilities.</p>
      <p>According to the first stage of the developed method for ensuring the software security by identifying
and classifying the failures and vulnerabilities, the variable sf and the elements of the first row of the sv
matrix were reset to zero, as well as the filling of the second row of the sv matrix.</p>
      <p>According to the second stage of the developed method, a survey of the user of the software for
keeping accounting was carried out using compiled questionnaires for collecting the information about
failure(s) and vulnerability(s).</p>
      <p>According to the third stage of the developed method, the analysis of the answers given by the user
to the questions of the questionnaire for collecting the information about failure(s) was performed using
the rules for the classification of failures, and the formation of the value of the variable sf was
performed. Since the user of the software for keeping accounting gives the answer "yes" to the first
question of the questionnaire for collecting the information about failure(s) and answer "no" to the
second question of the questionnaire for collecting the information about failure(s), then the variable
sf = 1.</p>
      <p>According to the fourth stage of the developed method, since sf=1, the user is given the conclusion
"software failure is insignificant".</p>
      <p>According to the fifth stage of the developed method for ensuring the software security by
identifying and classifying the failures and vulnerabilities, an analysis of the answers given by the user
to the questions of questionnaire for collecting the information about vulnerability(s) was performed
using the rules for the classification of vulnerabilities, and filling the first row of the sv matrix was
performed. The user of the software for keeping accounting answered "yes" to the first, third and fourth
questions, so the sv matrix looks like – Table 2.</p>
      <p>
        According to the sixth stage of the developed method, since sv[
        <xref ref-type="bibr" rid="ref1 ref1">1,1</xref>
        ]=1, the user is given the
conclusion about the type of vulnerability – "The feature of the software is a vulnerability of correct
operation" (element sv[
        <xref ref-type="bibr" rid="ref1 ref2">2,1</xref>
        ] of the sv matrix). Since sv[
        <xref ref-type="bibr" rid="ref1 ref3">1,3</xref>
        ]=1, the user is given the conclusion about
the type of vulnerability – "The feature of the software is a vulnerability of privacy of information"
(element sv[
        <xref ref-type="bibr" rid="ref2 ref3">2,3</xref>
        ] of the sv matrix). Since sv[
        <xref ref-type="bibr" rid="ref1 ref4">1,4</xref>
        ]=1, the user is given the conclusion about the type of
vulnerability – "The feature of the software is the vulnerability of the availability of information"
(element sv[
        <xref ref-type="bibr" rid="ref2 ref4">2,4</xref>
        ] of the sv matrix). Therefore, the considered feature of the software is the vulnerability
of correct operation, privacy and availability of information.
      </p>
      <p>The conducted experiment with the applying the developed method and technology for ensuring the
software security by identifying and classifying the failures and vulnerabilities for software for keeping
accounting showed that, based on a survey of the user of software for keeping accounting, a conclusion
was given regarding the presence of an insignificant failure of the software for keeping accounting, as
well as a conclusion regarding the presence of a vulnerability of the correct work, privacy and
availability of information in the considered software for keeping accounting.</p>
    </sec>
    <sec id="sec-5">
      <title>5. Conclusions</title>
      <p>All major software security approaches are aimed at preventing total software failure, but not at
identifying software failures and vulnerabilities. The success of software security approaches is only
possible due to the identification and reduction of the number of errors, therefore, the identification of
software failures and vulnerabilities is an urgent task at the moment.</p>
      <p>The conducted literature review on known methods and technologies for providing the software
security and for identifying the failures and vulnerabilities of software showed that, although the
analyzed methods and technologies have great potential for the field of software engineering, none of
the known solutions are intended for identification and classification of software failures and
vulnerabilities. Therefore, it is necessary to develop a method for ensuring the software security by
identifying and classifying the failures and vulnerabilities, as well as to design and implement a
technology for ensuring the software security by identifying and classifying the failures and
vulnerabilities, which is the goal of this study.</p>
      <p>The questionnaires for collecting the information about failure(s) and for collecting the information
about vulnerability(s), as well as rules for the classification of failures based on the analysis of answers
to questions of questionnaire for collecting the information about the failure(s) and rules for the
classification of vulnerabilities based on the analysis of answers to questions of questionnaire for
collecting the information about vulnerability(s) have been developed in this paper. The developed rules
make it possible to identify and classify failure(s) and vulnerability(s) of software that occurred during
the software's operation.</p>
      <p>The developed in this paper method for ensuring the software security by identifying and classifying
the failures and vulnerabilities provides a conclusion as to whether a failure occurred, and if a failure
occurred, its type is issued to the user. In addition, the developed method for ensuring the software
security by identifying and classifying the failures and vulnerabilities provides a conclusion as to
whether a feature is a vulnerability, and if the feature is a vulnerability, its type is issued to the user.</p>
      <p>The paper also develops a technology for ensuring the software security by identifying and
classifying the failures and vulnerabilities, which provides a conclusion on the presence or absence of
software failure(s); conclusion on the presence or absence of software vulnerability(s); conclusion about
the type of failure and the type of vulnerability in case of their presence, thanks to which the proposed
technology is useful for software users due to the identification and classification of failures and
vulnerabilities.</p>
      <p>The conducted experiment with the applying the developed method and technology for ensuring the
software security by identifying and classifying the failures and vulnerabilities for software for keeping
accounting showed that, based on a survey of the user of software for keeping accounting, a conclusion
was given regarding the presence of an insignificant failure of the software for keeping accounting, as
well as a conclusion regarding the presence of a vulnerability of the correct work, privacy and
availability of information in the considered software for keeping accounting.</p>
    </sec>
    <sec id="sec-6">
      <title>6. References</title>
      <p>Technical Conference “Computer Science and Information Technologies”, СSIT-2018, Lviv,
2018, vol.1, pp. 215-218. doi: 10.1109/STC-CSIT.2018.8526730.
[11] Yahoo says 500 million accounts stolen, 2016. URL:
https://money.cnn.com/2016/09/22/technology/yahoo-data-breach.
[12] Equifax Made Major Errors That Led to Hack, Ex-CEO Concedes, 2017. URL:
https://www.bloomberg.com/news/articles/2017-10-02/ex-equifax-ceo-says-human-tech-failuresallowed-breach-to-occur.
[13] Facebook Says Breach Affected About 50 Million Accounts, 2018. URL:
https://www.bloomberg.com/news/articles/2018-09-28/facebook-says-security-breach-affectedabout-50-million-accounts.
[14] A.G. Underwood Announces Record $148 Million Settlement With Uber Over 2016 Data Breach,
2018. URL:
https://ag.ny.gov/press-release/2018/ag-underwood-announces-record-148-millionsettlement-uber-over-2016-data-breach.
[15] It could have been prevented: it became known why government websites "went down", 2022.</p>
      <p>URL: https://www.epravda.com.ua/news/2022/01/14/681448/.
[16] S. McConnell, Code complete, Microsoft Press, Redmond, 2013.
[17] T. Ostrand, E. Weyuker, Predicting bugs in large industrial software systems. Lecture Notes in</p>
      <p>Computer Science 7171 (2013) 71-93. doi: 10.1007/978-3-642-36054-1_3.
[18] M. Razian, H. Sangchi. A Threatened-based Software Security Evaluation Method, in:
Proceedings of 11th International ISC Conference on Information Security and Cryptology,
ISCISC-2014, Tehran, 2014, pp. 120-125. doi: 10.1109/ISCISC.2014.6994034.
[19] L. ben Othmane, P. Angin, H. Weffers, B. Bhargava. Extending the Agile Development Process
to Develop Acceptably Secure Software. IEEE Transactions on Dependable and Secure
Computing 11 6 (2015) 497-509. doi: 10.1109/TDSC.2014.2298011.
[20] U. Erlingsson. Data-driven Software Security: Models and Methods, in: Proceedings of 29th IEEE
Computer Security Foundations Symposium, CSF-2017, Lisbon, 2017, pp. 9-15. doi:
10.1109/CSF.2016.40.
[21] D. Baca, K. Petersen. Prioritizing Countermeasures through the Countermeasure Method for
Software Security (CM-Sec). Lecture Notes in Computer Science 6156 (2010) 176-190. doi:
10.1007/978-3-642-13792-1_15.
[22] A. Randrianasolo, L. Pyeatt. Q-Learning: From Computer Network Security To Software Security,
in: Proceedings of 13th International Conference on Machine Learning and Applications,
ICMLA2014, Detroit, 2014, pp. 257-262. doi: 10.1109/ICMLA.2014.47.
[23] M. Ramachandran. Software security requirements management as an emerging cloud computing
service. International Journal of Information Management 36 4 (2016) 580-590. doi:
10.1016/j.ijinfomgt.2016.03.008.
[24] S. Farhan, M. Mostafa. A Methodology for Enhancing Software Security During Development
Processes, in: Proceedings of 21st Saudi-Computer-Society National Computer Conference,
NCC2018, Riyadh, 2018, pp. 1-6. doi: 10.1109/NCG.2018.8593135.
[25] B. Xu, M. Lu, D. Zhang. A Layered Argument Strategy for Software Security Case Development,
in: Proceedings of 28th IEEE International Symposium on Software Reliability Engineering,
Toulouse, 2017, pp. 331-338. doi: 10.1109/ISSREW.2017.52.
[26] X. Hu, Y. Zhuang, F. Zhang. A security modeling and verification method of embedded software
based on Z and MARTE. Computers &amp; Security 88 (2020) No 10615. doi:
10.1016/j.cose.2019.101615.
[27] F. Lugou, L. Apvrille, A. Francillon. SMASHUP: a toolchain for unified verification of
hardware/software co-designs. Journal of Cryptographic Engineering 7 1 (2017) 63-74. doi:
10.1007/s13389-016-0145-2.
[28] B. Emeka, S. Liu. Assessing and Extracting Software Security Vulnerabilities in SOFL Formal
Specifications, in: Proceedings of 17th Annual International Conference on Electronics,
Information, and Communication, ICEIC-2018, Honolulu, 2018, pp. 374-377. doi:
10.23919/ELINFOCOM.2018.8330613.
[29] A. Sedaghatbaf, M. Azgomi. Software Architecture Modeling and Evaluation Based on Stochastic
Activity Networks. Lecture Notes in Computer Science 939 (2015) 46-53. doi:
10.1007/978-3319-24644-4_3.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <surname>What is Software Failure</surname>
          </string-name>
          ,
          <year>2021</year>
          . URL: https://www.igi
          <article-title>-global.com/dictionary/investigation-ofsoftware-reliability-prediction-using-statistical-and-machine-learning-</article-title>
          <source>methods/59093.</source>
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>O.</given-names>
            <surname>Pomorova</surname>
          </string-name>
          ,
          <source>T. Hovorushchenko. Research of Artificial Neural Network's Component of Software Quality Evaluation and Prediction Method, in: Proceedings of the 2011 IEEE 6-th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications</source>
          , IDAACS-2011, Prague,
          <year>2011</year>
          , vol.
          <volume>2</volume>
          , pp.
          <fpage>959</fpage>
          -
          <lpage>962</lpage>
          . doi:
          <volume>10</volume>
          .1109/IDAACS.
          <year>2011</year>
          .
          <volume>6072916</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>T.</given-names>
            <surname>Hovorushchenko</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Pomorova</surname>
          </string-name>
          .
          <article-title>Methodology of Evaluating the Sufficiency of Information on Quality in the Software Requirements Specifications</article-title>
          ,
          <source>in: Proceedings of 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies, DeSSerT-2018</source>
          ,
          <year>2018</year>
          , pp.
          <fpage>385</fpage>
          -
          <lpage>389</lpage>
          . doi:
          <volume>10</volume>
          .1109/DESSERT.
          <year>2018</year>
          .
          <volume>8409161</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>T.</given-names>
            <surname>Hovorushchenko</surname>
          </string-name>
          .
          <article-title>Methodology of Evaluating the Sufficiency of Information for Software Quality Assessment According to ISO 25010</article-title>
          .
          <source>Journal of Information and Organizational Sciences 42 1</source>
          (
          <year>2018</year>
          )
          <fpage>63</fpage>
          -
          <lpage>85</lpage>
          . doi:
          <volume>10</volume>
          .31341/jios.42.
          <issue>1</issue>
          .4.
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>T.</given-names>
            <surname>Hovorushchenko</surname>
          </string-name>
          .
          <article-title>Information Technology for Assurance of Veracity of Quality Information in the Software Requirements Specification</article-title>
          .
          <source>Advances in Intelligent Systems and Computing</source>
          <volume>689</volume>
          (
          <year>2018</year>
          )
          <fpage>166</fpage>
          -
          <lpage>185</lpage>
          . doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>319</fpage>
          -70581-1_
          <fpage>12</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>M.</given-names>
            <surname>Howard</surname>
          </string-name>
          , D. LeBlanc, J. Viega, 24 Deadly Sins of Software Security:
          <article-title>Programming Flaws and How to Fix Them</article-title>
          ,
          <string-name>
            <surname>McGraw-Hill</surname>
            <given-names>Education</given-names>
          </string-name>
          , Redmond,
          <year>2010</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>T.</given-names>
            <surname>Hovorushchenko</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Pavlova</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Medzatyi</surname>
          </string-name>
          .
          <article-title>Ontology-Based Intelligent Agent for Determination of Sufficiency of Metric Information in the Software Requirements</article-title>
          .
          <source>Advances in Intelligent Systems and Computing</source>
          <volume>1020</volume>
          (
          <year>2020</year>
          )
          <fpage>447</fpage>
          -
          <lpage>460</lpage>
          . doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>030</fpage>
          -26474-1_
          <fpage>32</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>T.</given-names>
            <surname>Hovorushchenko</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Pavlova</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Bodnar</surname>
          </string-name>
          .
          <article-title>Development of an Intelligent Agent for Analysis of Nonfunctional Characteristics in Specifications of Software Requirements</article-title>
          .
          <source>Eastern-European Journal of Enterprise Technologies 1</source>
          <volume>2</volume>
          (
          <issue>97</issue>
          ) (
          <year>2019</year>
          )
          <fpage>6</fpage>
          -
          <lpage>17</lpage>
          . doi:
          <volume>10</volume>
          .15587/
          <fpage>1729</fpage>
          -
          <lpage>4061</lpage>
          .
          <year>2019</year>
          .
          <volume>154074</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>T.</given-names>
            <surname>Hovorushchenko</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Pavlova</surname>
          </string-name>
          .
          <article-title>Method of Activity of Ontology-Based Intelligent Agent for Evaluating the Initial Stages of the Software Lifecycle</article-title>
          .
          <source>Advances in Intelligent Systems and Computing</source>
          <volume>836</volume>
          (
          <year>2019</year>
          )
          <fpage>169</fpage>
          -
          <lpage>178</lpage>
          . doi:
          <volume>10</volume>
          .1007/978-3-
          <fpage>319</fpage>
          -97885-7_
          <fpage>17</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>T.</given-names>
            <surname>Hovorushchenko</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Pavlova</surname>
          </string-name>
          .
          <article-title>Evaluating the Software Requirements Specifications Using Ontology-Based Intelligent Agent</article-title>
          ,
          <source>in: Proceedings of 2018 IEEE International Scientific and</source>
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>