As the world continues to embrace a completely digital society in all aspects of life, the ever present threat of a security flaw in a software system looms. Especially with a stream of high profile security flaws and breaches, the public is more aware of the risk now than ever before.

However, the realities of any software project is that there are engineering concerns of the utmost importance that all demand simultaneous attention. To balance and manage these challenges, software engineering has developed patterns of industry activities and best practices. Yet even as engineers rely on these practices to stay afloat, managing security can become elusive in a tangled mess of complex relationships between systems. Modern software projects rely upon other software to do its job; only the most niche and specialized software lives in isolation in today's industry.

In this work, we present an approach to help alleviate one of the aspects of actively managing security in a software project. The objectives of this approach are 1) to establish the presence of a known vulnerability in a software project version and 2) to develop a set of versions of a software project which identify vulnerability status. We tested the approach on three Apache Software Foundation projects, for a total of eleven vulnerabilities tested. In the analysis of the results, we find that the approach is conservative in marking a particular version $not~vulnerable$, but when it does so, it is completely consistent with the evaluation results. This conservative nature is a beneficial characteristic of the approach when considering the context of software security in which it operates.

Library of Congress Subject Headings

Computer software--Security measures

Publication Date


Document Type


Student Type


Degree Name

Software Engineering (MS)

Department, Program, or Center

Software Engineering (GCCIS)


Meiyappan Nagappan

Advisor/Committee Member

Mehdi Mirakhorli

Advisor/Committee Member

Scott Hawker


Physical copy available from RIT's Wallace Library at QA76.9.A25 C33 2016


RIT – Main Campus