Non-Operational Testing of Software for Security Issues
| Title | Non-Operational Testing of Software for Security Issues |
| Publication Type | Conference Proceedings |
| Year of Publication | 2013 |
| Authors | Subramani, Shweta, Vouk, Mladen A., Williams, Laurie |
| Conference Name | ISSRE 2013 |
| Series Title | Fast-Abstracts, Supplemental Proceedings |
| Pagination | pp 21-22 |
| Publisher | IEEE |
| Conference Location | Pasadena, CA |
| Keywords | Jan'15, NCSU, Vulnerability and Resilience Prediction Models |
| Abstract | We have been studying extension of the classical Software Reliability Engineering (SRE) methodology into the security space. We combine "classical" reliability modeling, when applied to reported vulnerabilities found under "normal" operational profile conditions, with safety oriented fault management processes. We illustrate with open source Fedora software. Our initial results appear to indicate that generation of a repeatable automated test-strategy that would explicitly cover the "top 25" security problems may help considerably - eliminating perhaps as much as 50% of the field observable problems. However, genuine aleatoric and more process oriented incomplete analysis and design flaws remain. While we have made some progress in identifying focus areas, a number of questions remain, and we continue working on them. |
| DOI | DOI: 10.1109/ISSREW.2013.6688857 |
| Citation Key | node-22646 |