Measuring, analyzing and predicting security vulnerabilities in software systems

Computers and Security

Volumn 26, Issue 3, 2007, Pages 219-228

  Alhazmi, O H ^a   Malaiya, Y K ^a   Ray, I ^a  

^a Department of Computer Science   (United States)

Author keywords

Defect density; Quantitative security modeling; Risk evaluation; Security holes; Vulnerabilities

Indexed keywords

COMPUTER OPERATING SYSTEMS; DEFECT DENSITY; MATHEMATICAL MODELS; PROJECT MANAGEMENT; RISK ANALYSIS; SOFTWARE TESTING;

LINEAR MODELS; SECURITY MODELING; SOFTWARE DEFECTS;

SECURITY OF DATA;

EID: 34248348339     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2006.10.002     Document Type: Article

References (29)

1. Alhazmi OH, Malaiya YK. Quantitative vulnerability assessment of systems software. In: Proceedings of 51st annual reliability and maintainability symposium, Alexandria, VA; January 2005. p. 615-20.
2. Alhazmi OH, Malaiya YK. Modeling the vulnerability discovery process. In: International Symposium on Software Reliability Engineering; November 2005.
3. Alhazmi OH, Malaiya YK, Ray I. Security vulnerabilities in software systems: a quantitative perspective. In: Proceedings of IFIP WG 11.3 working conference on data and applications security; August 2005. p. 281-94.
4. Alves-Foss J., and Barbosa S. Assessing computer security vulnerability. Operating Systems Review 29 3 (1995) 3-13
5. Anderson Ross. Security in open versus closed systems-the dance of Boltzmann, Coase and Moore. In: Conference on open source software: economics, law and policy, Toulouse, France; June 2002. p. 1-15, http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf.
6. Arbaugh W.A., Fithen W.L., and McHugh J. Windows of vulnerability: a case study analysis. IEEE Computer 33 12 (December 2000) 52-59
7. Brocklehurst S., Littlewood B., Olovsson T., and Jonsson E. On measurement of operational security. Proceedings of the 9th annual IEEE conference on computer assurance (1994), IEEE Computer Society, Gaithersburg 257-266
8. Browne HK, Arbaugh WA, McHugh J, Fithen WL. A trend analysis of exploitation. In: Proceedings of the IEEE Symposium on Security and Privacy; May 2001. p. 214-29.
9. Brykczynski B., and Small R.A. Reducing internet-based intrusions: effective security patch management. IEEE Software 20 1 (January-February 2003) 50-57
10. Handbook of software reliability engineering. In: Lyu M.R. (Ed) (1995), McGraw-Hill
11. Jonsson E., and Olovsson T. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering 24 3 (April 1997) 235-245
12. Littlewood B., Brocklehurst S., Fenton N., Mellor P., Page S., and Wright D. Towards operational measures of computer security. Journal of Computer Security 2 2/3 (1993) 211-230
13. Longstaff T. CERT experience with security problems in software (June 2003-June 2003), Carnegie Mellon University. http://research.microsoft.com/projects/SWSecInstitute/slides/Longstaff.pdf
14. Madan BB, Goseva-Popstojanova K, Vaidyanathan K, Trivedi KS. Modeling and quantification of security attributes of software systems. In: Proceedings of the IEEE international performance and dependability symposium (IPDS 2002); June 2002.
15. Malaiya YK, Denton J. What do the software reliability growth model parameters represent? In: International symposium on software reliability engineering; 1997. p. 124-35.
16. Malaiya YK, Denton J. Module size distribution and defect density. In: Proceedings of the IEEE international symposium on software reliability engineering; October 2000. p. 62-71.
17. McGraw G. From the ground up: the DIMACS software security workshop. IEEE Security & Privacy 1 2 (March/April 2003) 59-66
18. Mockus A., Fielding R.T., and Herbsleb J. Two case studies of open source software development: Apache and Mozilla. ACM Transactions on Software Engineering and Methodology 11 3 (2002) 309-346
19. Mohagheghi P, Conradi R, Killi OM, Schwarz H. An empirical study of software reuse vs. defect-density. In: Proceedings of the 26th international conference on software engineering; May 2004. p. 282-91.
20. Musa J.D., Ianino A., and Okumuto K. Software reliability measurement prediction application (1987), McGraw-Hill
21. National Vulnerability Database; February 2005. .
22. OS Data, Windows 98 (March 2004).
23. Ounce Labs. Security by the numbers: the need for metrics in application security (2004).
24. Pfleeger C.P. Security in computing (1997), Prentice-Hall
25. Red Hat Bugzilla (January 2005).
26. Rescorla E. Is finding security holes a good idea?. Economics of Information Security 3 1 (January-February 2005) 14-19
27. Rodrigues P. Windows XP Beta 02. Only 106,500 bugs (August 2001).
28. Schultz Jr. E.E., Brown D.S., and Longstaff T.A. Responding to computer security incidents (July 23, 1990), Lawrence Livermore National Laboratory. ftp://ftp.cert.dfn.de/pub/docs/csir/ihg.ps.gz
29. The MITRE Corporation (February 2005).