Design Churn as Predictor of Vulnerabilities?

Abstract

This paper evaluates a metric suite to predict vulnerable Java classes based on how much the design of an application has changed over time. It refers to this concept as design churn in analogy with code churn. Based on a validation on 10 Android applications, it shows that several design churn metrics are in fact significantly associated with vulnerabilities. When used to build a prediction model, the metrics yield an average precision of 0.71 and an average recall of 0.27.