1. Technical Field
The present invention relates to data processing and, in particular, to determining security levels for software packages. Still more particularly, the present invention provides a method, apparatus, and program for determining a probabilistic security score for a software package.
2. Description of Related Art
Security vulnerabilities are an increasing source of concern for business users and normal end users. Estimated costs due to recent viruses approach into the billions of dollars. Solutions to security problems range from administrative to technical, detective to reactive. One class of security solutions includes methods to encourage developers to write more secure code. Attacks may originate in the network layer or the system layer; however, many attacks may originate in the application layer. Thus, software developers may use the security of their code as a selling point for their products. Even in the open source community, the reputation of a developer is very important, particularly with respect to the security of the code produced by the developer.
Even well written code will likely include some bugs or security vulnerabilities. It is a significant goal of software developers to minimize these security vulnerabilities whenever possible. Several tools exist that may be used to analyze code to identify security vulnerabilities in program code. The Rough Auditing Tool for Security (RATS) is one such analysis tool that, as its name suggests, performs a rough analysis of source code. As another example, Flawfinder is a program that examines source code and reports possible security weaknesses sorted by risk level. These tools are very useful for quickly finding and removing at least some potential security problems before a program is widely released to the public. A current problem with the known solutions is that developers rarely use the existing tools and the information delivered by the tools is not readily accessible to non-developers.