Repository logo

Assessing vulnerabilities in software systems: a quantitative approach


Security and reliability are two of the most important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. Software assurance requires similar quantitative assessment of software security, however only limited work has been done on quantitative aspects of security. The analogy with software reliability can help developing similar measures for software security. However, there are significant differences that need to be identified and appropriately acknowledged. This work examines the feasibility of quantitatively characterizing major attributes of security using its analogy with reliability. In particular, we investigate whether it is possible to predict the number of vulnerabilities that can potentially be identified in a current or future release of a software system using analytical modeling techniques.
Datasets from several major complex software systems have been collected and analyzed, they represent both open-source and proprietary software systems. They include most of the major operating systems, web servers, and web browsers currently in use. The data about vulnerabilities discovered in these software systems are analyzed to identify trends and the goodness of fit with the proposed models is statistically examined.
Vulnerability datasets are examined to determine if the vulnerability density in a program is a practical and useful measure. We attempt to identify the quantitative relationship between software defects and vulnerabilities. The results indicate that vulnerability density is relatively stable for specific classes of systems and therefore, is a meaningful metric.
The dynamics of vulnerability discovery is thoroughly examined in detail with the hope that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We examine the vulnerability discovery process to determine whether models can be developed to project future trends. The prediction capabilities of the proposed quantitative methods have been investigated. The results show good prediction accuracy when applied to several of the operating systems and web-servers. Finally, vulnerabilities taxonomies were considered and the quantitative approaches were also applied to categorized vulnerability datasets as well.
Categorized vulnerabilities analysis suggests that some vulnerabilities categories are generally more severe. We also note that in some products, some categories include a larger number of high severity vulnerabilities. This fact can be used as a guideline to design better test cases that assigns a higher priority to selected categories in order to optimize test effectiveness and reduce the cost of testing.


Rights Access


computer science


Associated Publications