Can software reliability models be used to assess software security? One of the issues is that security problems are relatively rare under “normal” operational profiles, while “classical” reliability models may not be suitable for use in attack conditions. We investigated a range of Fedora open source software security problems to see if some of the basic assumptions behind software reliability growth models hold for discovery of security problems in non-attack situations. We find that in some cases, under “normal” operational use, security problem detection process may be described as a Poisson process. In those cases, we can use appropriate classical software reliability growth models to assess “security reliability” of that software in non-attack situations.
[1]
Amrit L. Goel,et al.
Software Reliability Models: Assumptions, Limitations, and Applicability
,
1985,
IEEE Transactions on Software Engineering.
[2]
Shigeru Yamada,et al.
S-Shaped Reliability Growth Modeling for Software Error Detection
,
1983,
IEEE Transactions on Reliability.
[3]
Mladen A. Vouk,et al.
A study of software security problem disclosure, correction and patching processes
,
2011
.
[4]
Paul Rook,et al.
Software Reliability Handbook
,
1990
.
[5]
Ashok Kishore Trivedi.
Computer software reliability: many-state markov modeling techniques.
,
1975
.