Feature Set Selection for Improved Classification of Static Analysis Alerts

With the extreme growth in third party cloud applications, increased exposure of applications to the internet, and the impact of successful breaches, improving the security of software being produced is imperative. Static analysis tools can alert to quality and security vulnerabilities of an application; however, they present developers and analysts with a high rate of false positives and unactionable alerts. This problem may lead to the loss of confidence in the scanning tools, possibly resulting in the tools not being used. The discontinued use of these tools may increase the likelihood of insecure software being released into production. Insecure software can be successfully attacked resulting in the compromise of one or several information security principles such as confidentiality, availability, and integrity. Feature selection methods have the potential to improve the classification of static analysis alerts and thereby reduce the false positive rates. Thus, the goal of this research effort was to improve the classification of static analysis alerts by proposing and testing a novel method leveraging feature selection. The proposed model was developed and subsequently tested on three open source PHP applications spanning several years. The results were compared to a classification model utilizing all features to gauge the classification improvement of the feature selection model. The model presented did result in the improved classification accuracy and reduction of the false positive rate on a reduced feature set. This work contributes a real-world static analysis dataset based upon three open source PHP applications. It also enhanced an existing data set generation framework to include additional predictive software features. However, the main contribution is a feature selection methodology that may be used to discover optimal feature sets that increase the classification accuracy of static analysis alerts

Mandatory Public Reporting: Build It and Who Will Come?

Summary: Rates of healthcare-associated infections (HAI) are being reported on an increasing number of public information websites in response to legislative mandates driven by consumer advocacy. This represents a new strategy to advance patient safety and quality of care by informing a broad audience about the relative performance of individual healthcare facilities. Unlike typical consumer health informatics products, the target audience and targeted health behaviors are less easily defined; further, the impact on providers to improve care is unknown relative to other incentives to improve. To address critical knowledge gaps facing all state agencies embarking on this new frontier, we found it essential and straightforward to recruit the assistance of university research faculty from a variety of disciplines. That interdisciplinary group was quickly able to define a 5-year applied evaluation research agenda spanning a progressive set of crucial questions