Failure-prone components are also attack-prone components

Authors:
Michael Gegick
Affiliations:
Department of Computer Science, North Carolina State University, Raleigh, NC, USA
Venue:
Companion to the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applications
Year:
2008

Citing 2
Cited 2

Where the bugs are

ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Applying Software Reliability Models on Security Incidents

ISSRE '07 Proceedings of the The 18th IEEE International Symposium on Software Reliability

Toward Non-security Failures as a Predictor of Security Faults and Failures

ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Predicting vulnerable software components with dependency graphs

Proceedings of the 6th International Workshop on Security Measurements and Metrics

Quantified Score

Hi-index	0.00

Visualization

Abstract

Limited resources preclude software engineers from finding and fixing all security vulnerabilities in a software system. A predictive model that identifies which components are attack-prone can prioritize fortification efforts where they are needed most. We have analyzed two large commercial telecommunications systems that have been deployed to the field. We have found strong correlations (as high as 0.82) between non-security failures and security failures and that the most failure-prone components are likely to be attack-prone. Additionally, non-security failures were found to be a good metric for estimating the count of security failures for a given software