International Journal of Secure Software Engineering
This paper evaluates a metric suite to predict vulnerable Java classes based on how much the design of an application has changed over time. We refer to this concept as design churn in analogy with code churn. Based on a validation on 10 Android applications, we show that several design churn metrics are in fact significantly associated with vulnerabilities. When used to build a prediction model, the metrics yield an average precision of 0.71 and an average recall of 0.27.