Software reliability: measurement, prediction, application
Software reliability: measurement, prediction, application
Handbook of software reliability engineering
Handbook of software reliability engineering
A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
IEEE Transactions on Software Engineering
Two case studies of open source software development: Apache and Mozilla
ACM Transactions on Software Engineering and Methodology (TOSEM)
Modeling and Quantification of Security Attributes of Software Systems
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
What do the Software Reliability Growth Model Parameters Represent?
ISSRE '97 Proceedings of the Eighth International Symposium on Software Reliability Engineering
Module Size Distribution and Defect Density
ISSRE '00 Proceedings of the 11th International Symposium on Software Reliability Engineering
From the Ground Up: The DIMACS Software Security Workshop
IEEE Security and Privacy
A Trend Analysis of Exploitations
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
An Empirical Study of Software Reuse vs. Defect-Density and Stability
Proceedings of the 26th International Conference on Software Engineering
Effect of static analysis tools on software security: preliminary investigation
Proceedings of the 2007 ACM workshop on Quality of protection
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
To prevent them from entering, provide the keys
International Journal of Information Technology and Management
Secure Software Engineering: Learning from the Past to Address Future Challenges
Information Security Journal: A Global Perspective
Open source vs. closed source software: towards measuring security
Proceedings of the 2009 ACM symposium on Applied Computing
Impact of inheritance on vulnerability propagation at design phase
ACM SIGSOFT Software Engineering Notes
Improving CVSS-based vulnerability prioritization and response with context information
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
The beauty and the beast: vulnerabilities in red hat’s packages
USENIX'09 Proceedings of the 2009 conference on USENIX Annual technical conference
Information and Software Technology
Through the description of attacks: a multidimensional view
SAFECOMP'06 Proceedings of the 25th international conference on Computer Safety, Reliability, and Security
An idea of an independent validation of vulnerability discovery models
ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
Hi-index | 0.01 |
Security and reliability are important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. In this work we examine the feasibility of quantitatively characterizing some aspects of security.In particular, we investigate if it is possible to predict the number of vulnerabilities that can potentially be identified in a future release of a software system. We use several major operating systems as representatives of complex software systems. The data on vulnerabilities discovered in some of the popular operating systems is analyzed. We examine this data to determine if the density of vulnerabilities in a program is a useful measure. We try to identify what fraction of software defects are security related, i.e., are vulnerabilities. We examine the dynamics of vulnerability discovery hypothesizing that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We consider the vulnerability-discovery rate to see if models can be developed to project future trends. Finally, we use the data for both commercial and open-source systems to determine whether the key observations are generally applicable. Our results indicate that the values of vulnerability densities fall within a range of values, just like the commonly used measure of defect density for general defects. Our examination also reveals that vulnerability discovery may be influenced by several factors including sharing of codes between successive versions of a software system.