Visible to the public Non-Operational Testing of Software for Security Issues

TitleNon-Operational Testing of Software for Security Issues
Publication TypeConference Proceedings
Year of Publication2013
AuthorsSubramani, Shweta, Vouk, Mladen A., Williams, Laurie
Conference NameISSRE 2013
Series TitleFast-Abstracts, Supplemental Proceedings
Paginationpp 21-22
Conference LocationPasadena, CA
KeywordsJan'15, NCSU, Vulnerability and Resilience Prediction Models

We have been studying extension of the classical Software Reliability Engineering (SRE) methodology into the security space. We combine "classical" reliability modeling, when applied to reported vulnerabilities found under "normal" operational profile conditions, with safety oriented fault management processes. We illustrate with open source Fedora software.

Our initial results appear to indicate that generation of a repeatable automated test-strategy that would explicitly cover the "top 25" security problems may help considerably - eliminating perhaps as much as 50% of the field observable problems. However, genuine aleatoric and more process oriented incomplete analysis and design flaws remain. While we have made some progress in identifying focus areas, a number of questions remain, and we continue working on them.

DOIDOI: 10.1109/ISSREW.2013.6688857
Citation Keynode-22646