Effort estimates for vulnerability discovery projects

Proceedings of the Annual Hawaii International Conference on System Sciences

Volumn , Issue , 2012, Pages 5564-5573

  Sommestad, Teodor ^a   Holm, Hannes ^a   Ekstedt, Mathias ^a  

^a ROYAL INSTITUTE OF TECHNOLOGY   (Sweden)

Author keywords

[No Author keywords available]

Indexed keywords

SYSTEMS SCIENCE;

COOKE'S CLASSICAL METHODS; EFFORT ESTIMATES; SECURITY MEASURE; SECURITY VULNERABILITIES; SOFTWARE PRODUCTS; SOFTWARE VULNERABILITIES; VULNERABILITY DISCOVERY; ZERO DAY VULNERABILITIES;

SOFTWARE TESTING;

EID: 84857973207     PISSN: 15301605     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/HICSS.2012.238     Document Type: Conference Paper

References (33)

1. U.S.D. of C. NIST Computer Security Resource Center, "National Vulnerability Database," 2011.
2. O.H. Alhazmi and Y.K. Malaiya, "Quantitative vulnerability assessment of systems software," Proceedings of Annual Reliability and Maintainability Symposium, Ieee, 2005, pp. 615-620.
3. S.-W. Woo, H. Joh, O.H. Alhazmi, and Y.K. Malaiya, "Modeling vulnerability discovery process in Apache and IIS HTTP servers," Computers & Security, vol. 30, Jan. 2011, pp. 50-62.
4. B. De Win, R. Scandariato, K. Buyens, J. Gregoire, and W. Joosen, "On the secure software development process: CLASP, SDL and Touchpoints compared," Information and Software Technology, vol. 51, Jul. 2009, pp. 1152-1171.
5. A. Ozment, "Improving vulnerability discovery models," Proceedings of the 2007 ACM workshop on Quality of protection, ACM, 2007, p. 6-11.
6. R. Cooke, "TU Delft expert judgment data base," Reliability Engineering & System Safety, vol. 93, May. 2008, pp. 657-674.
7. M.A. McQueen, T.A. McQueen, W.F. Boyer, and M.R. Chaffin, "Empirical estimates and observations of 0day vulnerabilities," System Sciences, 2009. HICSS' 09. 42nd Hawaii International Conference on, IEEE, 2009, p. 1-12.
8. C. Cowan, "Software security for open-source systems," Security & Privacy, IEEE, vol. 1, 2003, p. 38-45.
9. M. Howard and D.C. LeBlanc, Writing Secure Code, Redmond, WA, USA: Microsoft Press, 2002.
10. Y. Younan, "Efficient countermeasures for software vulnerabilities due to memory management errors," Katholieke Universiteit Leuven, 2008.
11. S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, "Predicting vulnerable software components," Proceedings of the 14th ACM conference on Computer and communications security, New York, New York, USA: ACM, 2007, p. 529-540.
12. S. Sridhar and K. Altinkemer, "Software Vulnerabilities: Open Source versus Proprietary Software Security," AMCIS 2005 Proceedings, 2005.
13. C. Payne, "On the security of open source software," Information Systems Journal, vol. 12, Jan. 2002, pp. 61-78.
14. T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang, "Cyclone: A safe dialect of C," USENIX, Monterrey, CA, USA: 2002, pp. 275-288.
15. M.D. Penta, L. Cerulo, and L. Aversano, "The life and death of statically detected vulnerabilities: An empirical study," Information and Software Technology, vol. 51, Oct. 2009, pp. 1469-1484.
16. S. Heckman and L. Williams, "A systematic literature review of actionable alert identification techniques for automated static code analysis," Information and Software Technology, 2010.
17. Y. Kim, J. Lee, H. Han, and K.-M. Choe, "Filtering false alarms of buffer overflow analysis using SMT solvers," Information and Software Technology, vol. 52, Feb. 2010, pp. 210-219.
18. S. Grimstad, M. Jorgensen, and K. Molokken-Ostvold, "Software effort estimation terminology: The tower of Babel," Information and Software Technology, vol. 48, Apr. 2006, pp. 302-310.
19. P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0," Published by FIRST-Forum of Incident Response and Security Teams, 2007, pp. 1-23.
20. R.T. Clemen and R.L. Winkler, "Combining probability distributions from experts in risk analysis," Risk Analysis, vol. 19, 1999, pp. 187-204.
21. R. Cooke, "Experts in uncertainty: opinion and subjective probability in science," 1991.
22. D.J. Weiss and J. Shanteau, "Empirical Assessment of Expertise," Human Factors: The Journal of the Human Factors and Ergonomics Society, vol. 45, 2003, pp. 104-116.
23. Elsevier B.V., "Scopus," 2011.
24. Elsevier Inc, "Engineering Village," 2011.
25. S.T. Cavusgil and L.A. Elvey-Kirk, "Mail survey response behavior: A conceptualization of motivating factors and an empirical study," European Journal of Marketing, vol. 32, 1998, p. 1165-1192.
26. H. Kerzner, Project management: a systems approach to planning, scheduling, and controlling, New York, NY, USA: John Wiley & Sons, 2001.
27. J. Armstrong, Principles of forecasting - A Handbook for Researchers and Practitioners, Netherlands: Kluwer Academic Publishers Group, 2001.
28. P.H. Garthwaite, J.B. Kadane, and A. O' Hagan, "Statistical methods for eliciting probability distributions," Journal of the American Statistical Association, vol. 100, 2005, pp. 680-701.
29. L.J. Cronbach and R.J. Shavelson, "My Current Thoughts on Coefficient Alpha and Successor Procedures," Educational and Psychological Measurement, vol. 64, Jun. 2004, pp. 391-418.
30. L.J. Cronbach, "Coefficient alpha and the internal structure of tests," Psychometrika, vol. 16, 1951, p. 297-334.
31. S. Lin, "A study of expert overconfidence," Reliability Engineering & System Safety, vol. 93, May. 2008, pp. 711-721.
32. H. Kerzner, Project management: a systems approach to planning, scheduling, and controlling, New York, NY, USA: John Wiley & Sons, 2001.
33. SecurityFocus, "SecurityFocus," 2011.