Modeling the vulnerability discovery process

Security vulnerabilities in servers and operating systems are software defects that represent great risks. Both software developers and users are struggling to contain the risk posed by these vulnerabilities. The vulnerabilities are discovered by both developers and external testers throughout the life-span of a software system. A few models for the vulnerability discovery process have just been published recently. Such models will allow effective resource allocation for patch development and are also needed for evaluating the risk of vulnerability exploitation. Here we examine these models for the vulnerability discovery process. The models are examined both analytically and using actual data on vulnerabilities discovered in three widely-used systems. The applicability of the proposed models and significance of the parameters involved are discussed. The limitations of the proposed models are examined and major research challenges are identified

[1]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[2]  Ross J. Anderson,et al.  Murphy’s law, the fitness of evolving species, and the limits of software reliability , 1999 .

[3]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[4]  K Okumoto,et al.  TIME-DEPENDENT ERROR-DETECTION RATE MODEL FOR SOFTWARE AND OTHER PERFORMANCE MEASURES , 1979 .

[5]  Mladen A. Vouk Software Reliability Engineering , 1999 .

[6]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[7]  Indrajit Ray,et al.  Security Vulnerabilities in Software Systems: A Quantitative Perspective , 2005, DBSec.

[8]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[9]  H. Akaike Prediction and Entropy , 1985 .

[10]  Gary McGraw,et al.  From the Ground Up: The DIMACS Software Security Workshop , 2003, IEEE Secur. Priv..

[11]  Y.K. Malaiya,et al.  Prediction capabilities of vulnerability discovery models , 2006, RAMS '06. Annual Reliability and Maintainability Symposium, 2006..

[12]  Amrit L. Goel,et al.  Time-Dependent Error-Detection Rate Model for Software Reliability and Other Performance Measures , 1979, IEEE Transactions on Reliability.

[13]  Peter G. Bishop,et al.  A conservative theory for long term reliability growth prediction , 1996, Proceedings of ISSRE '96: 7th International Symposium on Software Reliability Engineering.

[14]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[15]  Pradip K. Srimani,et al.  An Examination of Fault Exposure Ratio , 1993, IEEE Trans. Software Eng..

[16]  Arthur Bloch,et al.  マーフィーの法則 : 現代アメリカの知性 = Murphy's law , 1993 .

[17]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[18]  Peter G. Bishop,et al.  A conservative theory for long-term reliability-growth prediction [of software] , 1996, IEEE Trans. Reliab..

[19]  Robert A. Small,et al.  Reducing Internet-Based Intrusions: Effective Security Patch Management , 2003, IEEE Softw..

[20]  John D. Musa,et al.  Software Reliability Engineering , 1998 .

[21]  D.A. Voltz,et al.  Murphy's law , 2006, IEEE Industry Applications Magazine.