Predictive Models for Identifying Software Components Prone to Failure During Security Attacks
Abstract
Sometimes software security engineers are given a product that they not familiar with and are asked to do a security analysis of it in a relatively short time. A knowledge of where vulnerabilities are most likely to reside can help prioritize their efforts. In general, software metrics can be used to predict fault- and failure-prone components for prioritizing inspection, testing, and redesign efforts. We believe that the security community can leverage this knowledge to design tools and metrics that can identify vulnerability- and attack prone components early in the software life cycle. We analyzed a large commercial telecommunications software-based system and found that the presence of security faults correlates strongly with the presence of a more general category of reliability faults. This, of course, is not surprising if one accepts the notion that security faults are in many instances a subset of a reliability fault set. We discuss a model that can be useful for identifying attack-prone components and for prioritizing security efforts early in the software life cycle
Document Details
- Document Type
- Technical Report
- Publication Date
- Oct 01, 2008
- Accession Number
- AD1153811
Entities
People
- Laurie Williams
- Michael Gegick
- Mladan Vouk
Organizations
- Carnegie Mellon University