Repository logo
 

Assessing vulnerabilities in software systems: a quantitative approach

dc.contributor.authorAlhazmi, Omar, author
dc.contributor.authorMalaiya, Yashwant K., advisor
dc.contributor.authorRay, Indrajit, advisor
dc.date.accessioned2024-03-13T18:14:53Z
dc.date.available2024-03-13T18:14:53Z
dc.date.issued2007
dc.description.abstractSecurity and reliability are two of the most important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. Software assurance requires similar quantitative assessment of software security, however only limited work has been done on quantitative aspects of security. The analogy with software reliability can help developing similar measures for software security. However, there are significant differences that need to be identified and appropriately acknowledged. This work examines the feasibility of quantitatively characterizing major attributes of security using its analogy with reliability. In particular, we investigate whether it is possible to predict the number of vulnerabilities that can potentially be identified in a current or future release of a software system using analytical modeling techniques.
dc.description.abstractDatasets from several major complex software systems have been collected and analyzed, they represent both open-source and proprietary software systems. They include most of the major operating systems, web servers, and web browsers currently in use. The data about vulnerabilities discovered in these software systems are analyzed to identify trends and the goodness of fit with the proposed models is statistically examined.
dc.description.abstractVulnerability datasets are examined to determine if the vulnerability density in a program is a practical and useful measure. We attempt to identify the quantitative relationship between software defects and vulnerabilities. The results indicate that vulnerability density is relatively stable for specific classes of systems and therefore, is a meaningful metric.
dc.description.abstractThe dynamics of vulnerability discovery is thoroughly examined in detail with the hope that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We examine the vulnerability discovery process to determine whether models can be developed to project future trends. The prediction capabilities of the proposed quantitative methods have been investigated. The results show good prediction accuracy when applied to several of the operating systems and web-servers. Finally, vulnerabilities taxonomies were considered and the quantitative approaches were also applied to categorized vulnerability datasets as well.
dc.description.abstractCategorized vulnerabilities analysis suggests that some vulnerabilities categories are generally more severe. We also note that in some products, some categories include a larger number of high severity vulnerabilities. This fact can be used as a guideline to design better test cases that assigns a higher priority to selected categories in order to optimize test effectiveness and reduce the cost of testing.
dc.format.mediumborn digital
dc.format.mediumdoctoral dissertations
dc.identifierETDF_Alhazmi_2007_3266397.pdf
dc.identifier.urihttps://hdl.handle.net/10217/237548
dc.languageEnglish
dc.language.isoeng
dc.publisherColorado State University. Libraries
dc.relation.ispartof2000-2019
dc.rightsCopyright and other restrictions may apply. User is responsible for compliance with all applicable laws. For information about copyright law, please see https://libguides.colostate.edu/copyright.
dc.rights.licensePer the terms of a contractual agreement, all use of this item is limited to the non-commercial use of Colorado State University and its authorized users.
dc.subjectsecurity
dc.subjectsoftware
dc.subjectvulnerabilities
dc.subjectcomputer science
dc.titleAssessing vulnerabilities in software systems: a quantitative approach
dc.typeText
dcterms.rights.dplaThis Item is protected by copyright and/or related rights (https://rightsstatements.org/vocab/InC/1.0/). You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).
thesis.degree.disciplineComputer Science
thesis.degree.grantorColorado State University
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy (Ph.D.)

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
ETDF_Alhazmi_2007_3266397.pdf
Size:
4.14 MB
Format:
Adobe Portable Document Format