{"id":"https://openalex.org/W4284676044","doi":"https://doi.org/10.1145/3510003.3510210","title":"A grounded theory based approach to characterize software attack surfaces","display_name":"A grounded theory based approach to characterize software attack surfaces","publication_year":2022,"publication_date":"2022-05-21","ids":{"openalex":"https://openalex.org/W4284676044","doi":"https://doi.org/10.1145/3510003.3510210"},"language":"en","primary_location":{"id":"doi:10.1145/3510003.3510210","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3510003.3510210","pdf_url":null,"source":{"id":"https://openalex.org/S4363608872","display_name":"Proceedings of the 44th International Conference on Software Engineering","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 44th International Conference on Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5037272618","display_name":"Sara Moshtari","orcid":"https://orcid.org/0000-0002-7918-0467"},"institutions":[{"id":"https://openalex.org/I155173764","display_name":"Rochester Institute of Technology","ror":"https://ror.org/00v4yb702","country_code":"US","type":"education","lineage":["https://openalex.org/I155173764"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Sara Moshtari","raw_affiliation_strings":["Rochester Institute of Technology"],"affiliations":[{"raw_affiliation_string":"Rochester Institute of Technology","institution_ids":["https://openalex.org/I155173764"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040805050","display_name":"Ahmet Okutan","orcid":"https://orcid.org/0000-0001-6664-515X"},"institutions":[{"id":"https://openalex.org/I155173764","display_name":"Rochester Institute of Technology","ror":"https://ror.org/00v4yb702","country_code":"US","type":"education","lineage":["https://openalex.org/I155173764"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ahmet Okutan","raw_affiliation_strings":["Rochester Institute of Technology"],"affiliations":[{"raw_affiliation_string":"Rochester Institute of Technology","institution_ids":["https://openalex.org/I155173764"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5088410123","display_name":"Mehdi Mirakhorli","orcid":"https://orcid.org/0000-0003-3470-6856"},"institutions":[{"id":"https://openalex.org/I155173764","display_name":"Rochester Institute of Technology","ror":"https://ror.org/00v4yb702","country_code":"US","type":"education","lineage":["https://openalex.org/I155173764"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Mehdi Mirakhorli","raw_affiliation_strings":["Rochester Institute of Technology"],"affiliations":[{"raw_affiliation_string":"Rochester Institute of Technology","institution_ids":["https://openalex.org/I155173764"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5037272618"],"corresponding_institution_ids":["https://openalex.org/I155173764"],"apc_list":null,"apc_paid":null,"fwci":1.0196,"has_fulltext":false,"cited_by_count":7,"citation_normalized_percentile":{"value":0.7849478,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"13","last_page":"24"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/attack-surface","display_name":"Attack surface","score":0.9331023097038269},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6856426000595093},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.6670974493026733},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6092394590377808},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.5943217873573303},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.5818814039230347},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.5583465099334717},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5499184727668762},{"id":"https://openalex.org/keywords/vulnerability-management","display_name":"Vulnerability management","score":0.5391663908958435},{"id":"https://openalex.org/keywords/grounded-theory","display_name":"Grounded theory","score":0.5170415043830872},{"id":"https://openalex.org/keywords/categorization","display_name":"Categorization","score":0.49366459250450134},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4198251962661743},{"id":"https://openalex.org/keywords/attack-model","display_name":"Attack model","score":0.4165150225162506},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.3445563018321991},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.3289147615432739},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.21216744184494019},{"id":"https://openalex.org/keywords/qualitative-research","display_name":"Qualitative research","score":0.16301974654197693}],"concepts":[{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.9331023097038269},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6856426000595093},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.6670974493026733},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6092394590377808},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.5943217873573303},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.5818814039230347},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.5583465099334717},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5499184727668762},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.5391663908958435},{"id":"https://openalex.org/C156325361","wikidata":"https://www.wikidata.org/wiki/Q1152864","display_name":"Grounded theory","level":3,"score":0.5170415043830872},{"id":"https://openalex.org/C94124525","wikidata":"https://www.wikidata.org/wiki/Q912550","display_name":"Categorization","level":2,"score":0.49366459250450134},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4198251962661743},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.4165150225162506},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.3445563018321991},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.3289147615432739},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.21216744184494019},{"id":"https://openalex.org/C190248442","wikidata":"https://www.wikidata.org/wiki/Q839486","display_name":"Qualitative research","level":2,"score":0.16301974654197693},{"id":"https://openalex.org/C137176749","wikidata":"https://www.wikidata.org/wiki/Q4105337","display_name":"Psychological resilience","level":2,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C36289849","wikidata":"https://www.wikidata.org/wiki/Q34749","display_name":"Social science","level":1,"score":0.0},{"id":"https://openalex.org/C542102704","wikidata":"https://www.wikidata.org/wiki/Q183257","display_name":"Psychotherapist","level":1,"score":0.0},{"id":"https://openalex.org/C144024400","wikidata":"https://www.wikidata.org/wiki/Q21201","display_name":"Sociology","level":0,"score":0.0},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3510003.3510210","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3510003.3510210","pdf_url":null,"source":{"id":"https://openalex.org/S4363608872","display_name":"Proceedings of the 44th International Conference on Software Engineering","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 44th International Conference on Software Engineering","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6399999856948853,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":22,"referenced_works":["https://openalex.org/W569790872","https://openalex.org/W1482707767","https://openalex.org/W1603882355","https://openalex.org/W1615506555","https://openalex.org/W1628659466","https://openalex.org/W2064068790","https://openalex.org/W2085925880","https://openalex.org/W2097444001","https://openalex.org/W2129586531","https://openalex.org/W2133933998","https://openalex.org/W2324618882","https://openalex.org/W2329395632","https://openalex.org/W2353739181","https://openalex.org/W2538350143","https://openalex.org/W2596078388","https://openalex.org/W2714550548","https://openalex.org/W2785352827","https://openalex.org/W2794694213","https://openalex.org/W2883434603","https://openalex.org/W2888035510","https://openalex.org/W4229749093","https://openalex.org/W4235278727"],"related_works":["https://openalex.org/W3043810321","https://openalex.org/W2383958993","https://openalex.org/W2123075981","https://openalex.org/W2796094063","https://openalex.org/W2537414278","https://openalex.org/W2560421591","https://openalex.org/W4390606847","https://openalex.org/W2589805430","https://openalex.org/W4388483595","https://openalex.org/W3155916161"],"abstract_inverted_index":{"The":[0,28,247,262],"notion":[1],"of":[2,13,35,44,59,74,81,103,106,124,149,241,264,277],"Attack":[3],"Surface":[4],"refers":[5],"to":[6,30,69,99,118,195,220],"the":[7,11,183,228,260,265,278],"critical":[8],"points":[9],"on":[10,52,85,95,138],"boundary":[12],"a":[14,39,71,114,133,147,233],"software":[15,36,107,151,242],"system":[16,37],"which":[17],"are":[18,285],"accessible":[19],"from":[20,160,223,244],"outside":[21],"or":[22],"contain":[23],"valuable":[24],"content":[25],"for":[26,205],"attackers.":[27],"ability":[29],"identify":[31,120],"attack":[32,60,75,86,91,125,206,216,238,252,267,282],"surface":[33,76,87,92,126,207,217,239,253,268,283],"components":[34,93,240,254,284],"has":[38],"significant":[40],"role":[41],"in":[42,259],"effectiveness":[43],"vulnerability":[45,53,142,158,225],"analysis":[46,116,137,230],"approaches.":[47],"Most":[48],"prior":[49,271],"works":[50,272],"focus":[51],"techniques":[54],"that":[55,236,255,274],"use":[56],"an":[57,121],"approximation":[58],"surfaces":[61],"and":[62,144,153,168,171,190,194,212,231],"there":[63],"have":[64,83],"not":[65,257],"been":[66],"many":[67],"attempts":[68],"create":[70],"comprehensive":[72,234],"list":[73,123],"components.":[77,127],"Although":[78],"limited":[79],"number":[80],"studies":[82],"focused":[84],"analysis,":[88],"they":[89,188,192],"defined":[90],"based":[94],"project":[96],"specific":[97,104],"hypotheses":[98],"evaluate":[100],"security":[101,154],"risk":[102],"types":[105],"applications.":[108],"In":[109],"this":[110,129],"study,":[111],"we":[112,131,200],"leverage":[113],"qualitative":[115],"approach":[117],"empirically":[119],"extensive":[122],"To":[128],"end,":[130],"conduct":[132],"Grounded":[134],"Theory":[135],"(GT)":[136],"1444":[139],"previously":[140],"published":[141],"reports":[143],"weaknesses":[145],"with":[146,270],"team":[148],"three":[150,179,202],"developers":[152],"experts.":[155],"We":[156,177,214],"extract":[157,215],"information":[159,226],"two":[161],"publicly":[162],"available":[163],"repositories:":[164],"1)":[165],"Common":[166,173],"Vulnerabilities":[167],"Exposures":[169],"(CVE)":[170],"2)":[172],"Weakness":[174],"Enumeration":[175],"(CWE).":[176],"ask":[178],"key":[180],"questions:":[181],"where":[182],"attacks":[184],"come":[185],"from,":[186],"what":[187],"target,":[189],"how":[191],"emerge,":[193],"help":[196],"answer":[197],"these":[198],"questions":[199],"define":[201],"core":[203],"categories":[204],"components:":[208],"Entry":[209],"points,":[210],"Targets,":[211],"Mechanisms.":[213],"concepts":[218],"related":[219],"each":[221],"category":[222],"collected":[224],"using":[227],"GT":[229],"provide":[232],"categorization":[235],"represents":[237],"systems":[243],"various":[245],"perspectives.":[246],"paper":[248],"introduces":[249],"254":[250],"new":[251],"did":[256],"exist":[258],"literature.":[261],"comparison":[263],"proposed":[266],"model":[269],"indicates":[273],"only":[275],"6.7%":[276],"identified":[279],"Code":[280],"level":[281],"studied":[286],"before.":[287]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":1}],"updated_date":"2026-01-09T23:09:53.351390","created_date":"2025-10-10T00:00:00"}