Skip to main content
SpringerLink
Log in
Book cover

Quality of Protection pp 25–36Cite as

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models

  • Conference paper

Part of the book series: Advances in Information Security ((ADIS,volume 23))

Abstract

The software engineering tools historically used to examine faults can also be used to examine vulnerabilities and the rate at which they are discovered. I discuss the challenges of the collection process and compare two sets of vulnerability characterization criteria. I collected fifty-four months of vulnerability data for OpenBSD 2.2 and applied seven reliability growth models to the two data sets. These models only passed applicability tests for the data set that omits dependent data points. Musa’s Logarithmic model has the best one-step-ahead predictive accuracy of the three acceptably accurate models for that data set. It estimated that fifty-four months after OpenBSD 2.2’s release, the mean time to vulnerability discovery for OpenBSD 2.2 was 42.5 days and that 58.4% of the vulnerabilities it contains had been found. However, a trend analysis cannot rule out the possibility that there is no trend at all in the rate of vulnerability detection, and this result casts doubts on the accuracy of the reliability growth models. The lack of a clear decreasing trend in that analysis highlights one of the challenges of using reliability growth models on vulnerability data: it may be a true reflection of the system or it may be caused by the changes over time in the effort invested in vulnerability detection.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R.: Why information security is hard-an economic perspective. In: 17th Annual Computer Security Applications Conference. (2001) New Orleans, LA, USA.

    Google Scholar 

  2. Akerlof, G.A.: The market for ‘lemons’: Quality uncertainty and the market mechanism. The Quarterly Journal of Economics 84(3) (1970) 488–500

    Article  Google Scholar 

  3. Fenton, N.E., Neil, M.: A critique of software defect prediction models. IEEE Transactions on Software Engineering 25(5) (1999) 675–689

    Article  Google Scholar 

  4. AIAA/ANSI: Recommended Practice: Software Reliability. ANSI (1993) R-013-1992.

    Google Scholar 

  5. Lyu, M.R., ed.: Handbook of Software Reliability Engineering. McGraw-Hill (1996)

    Google Scholar 

  6. Schechter, S.: Quantitatively differentiating system security. In: Workshop on Economics and Information Security. (2002) Berkeley, CA, USA.

    Google Scholar 

  7. Schechter, S.: How to buy better testing: Using competition to get the most security and robustness for your dollar. In: Infrastructure Security Conference. (2002) Bristol, UK.

    Google Scholar 

  8. Ozment, A.: Bug auctions: Vulnerability markets reconsidered. In: Workshop on Economics and Information Security. (2004) Minneapolis, MN, USA.

    Google Scholar 

  9. Rescorla, E.: Is finding security holes a good idea? In: Workshop on Economics and Information Security. (2004) Minneapolis, Minnesota.

    Google Scholar 

  10. Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Workshop on Economics and Information Security. (2005) Cambridge, MA, USA.

    Google Scholar 

  11. Stoneburner, W.: SMERFS (statistical modeling and estimation of reliability functions for systems) (2003) http://www. slingcode.com/smerfs/.

  12. Abdel-Ghaly, A. A., Chan, P.Y., Littlewood, B.: Evaluation of competing software reliability predictions. IEEE Trans. Softw. Eng. 12(9) (1986) 950–967

    Google Scholar 

  13. Tian, J.: Integrating time domain and input domain analyses of software reliability using tree-based models. IEEE Transactions on Software Engineering 21(12) (1995) 945–958

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Security Group, Computer Laboratory, University of Cambridge, USA

    Andy Ozment

Authors
  1. Andy Ozment
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Security in Distributed Applications, TU Hamburg-Harburg, Harburger Schloßstraße 20, 21079, Hamburg, Germany

    Dieter Gollmann

  2. Dipartimento Informatica e Telecomunicazioni (DIT), University of Trento, Via Sommarive, 14 38050, Trento, Italy

    Fabio Massacci  & Artsiom Yautsiukhin  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer Science+Business Media, LLC.

About this paper

Cite this paper

Ozment, A. (2006). Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-36584-8_3

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-29016-4

  • Online ISBN: 978-0-387-36584-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation