Software reliability: measurement, prediction, application
Software reliability: measurement, prediction, application
Handbook of software reliability engineering
Validation, Verification, and Testing: Diversity Rules
IEEE Software
Software vulnerability analysis
Software vulnerability analysis
Basic Concepts and Taxonomy of Dependable and Secure Computing
IEEE Transactions on Dependable and Secure Computing
Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Modeling the Vulnerability Discovery Process
ISSRE '05 Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering
Assessing Vulnerabilities in Apache and IIS HTTP Servers
DASC '06 Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing
ISSRE '06 Proceedings of the 17th International Symposium on Software Reliability Engineering
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Prediction capabilities of vulnerability discovery models
RAMS '06 Proceedings of the RAMS '06. Annual Reliability and Maintainability Symposium, 2006.
Impact of inheritance on vulnerability propagation at design phase
ACM SIGSOFT Software Engineering Notes
Quantified security is a weak hypothesis: a critical survey of results and assumptions
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Proceedings of the 26th Annual Computer Security Applications Conference
Is open source security a myth?
Communications of the ACM
An empirical study on using the national vulnerability database to predict software vulnerabilities
DEXA'11 Proceedings of the 22nd international conference on Database and expert systems applications - Volume Part I
An historical examination of open source releases and their vulnerabilities
Proceedings of the 2012 ACM conference on Computer and communications security
Hi-index | 0.02 |
Security researchers are applying software reliability models to vulnerability data, in an attempt to model the vulnerability discovery process. I show that most current work on these vulnerability discovery models (VDMs) is theoretically unsound. I propose a standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process. I then describe the theoretical requirements of VDMs and highlight the shortcomings of existing work, particularly the assumption that vulnerability discovery is an independent process.