Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University."— Presentation transcript:

1 Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University of Cambridge First Workshop on Quality of Protection Milan, Italy September 15, 2005

2 Andy Ozment, University of Cambridge 2 Overview Reasons to measure software security Security growth modeling: using reliability growth models on a carefully collected data set Data collection process Data characterization challenges: failure vs. fault The problem of normalization Results of the analysis Future directions

3 Andy Ozment, University of Cambridge 3 Motivation Reduce the Market for Lemons effect –Info asymmetry in the market results in universally lower quality Security return on investment (ROI) –E.g. ROI for MS after it’s 2002 efforts Evaluate different software development methodologies Metrics needed for risk measurement and insurance We need a means of measuring software security –Ideal measure: $€£¥ –Goal: both absolute & relative measure

4 Andy Ozment, University of Cambridge 4 Security Growth Modeling Utilize software reliability growth modeling to consider security Problems –Data collection for faults is easier and more institutionalized –Hackers like abnormal data –Normalizing time data for effort, skill, etc. Previous work –Eric Rescorla: “Is finding security holes a good idea?” –Andy Ozment: “The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting” –5 th Workshop on Economics & Information Security (WEIS 2005)

5 Andy Ozment, University of Cambridge 5 Data Collection OpenBSD 2.2, December 1997 Vulnerabilities obtained from ICAT, Bugtraq, OSVDB, and ISS Search through source code –Identify ‘death date,’ when vulnerability was fixed –Identify ‘birth date,’ when vulnerability was first written Group vulnerabilities according to the version in which they were introduced

6 Andy Ozment, University of Cambridge 6 Data Characterization Problems Inclusion –Localizations –Specific hardware –Default install not vulnerable –Broad definition of vulnerability Uniqueness –Bundle patch from third-party –Simultaneous discovery of multiple related flaws Decided to try two perspectives –Failure: bundles & related were consolidated –Flaw: bundles & related were broken down into individual vulns

7 Andy Ozment, University of Cambridge 7 Data Normalization Normalize time data for effort, skill, holidays, etc. Not possible with this data This analysis of non-normalized data: ‘real-world security’ –Small business owner –Concerned with automated exploits An analysis of normalized data: ‘true security’ –Necessary for ROI, assessing development practices, etc. –Of concern to governments & high-value targets that may be the subject of custom attacks

8 Andy Ozment, University of Cambridge 8 Applying the Models Used SMERFS reliability modeling tool to test 7 models Analyzed both failure- and fault-perspective data sets –Failure data points:68 –Flaw data points:79 Models were tested for predictive accuracy –Bias (u-plots) –Trend (y-plots) –Noise No models were successful for flaw-perspective data Three models were successful for failure-perspective data. Most accurate successful model: Musa’s Logarithmic –Purification level (% of total vulns that have been found): 58.4% –After 54 months,the MTTF is: 42.5 days

9 Andy Ozment, University of Cambridge 9

10 10 Future Research Normalize the data for relative numbers Examine the return on investment for a particular situation Utilize more sophisticated modeling techniques –E.g. recalibrating models Combine vulnerability analysis with traditional software metrics Compare this program with another

11 Andy Ozment, University of Cambridge 11 Conclusion Software engineers need a means of measuring software security Security growth modeling provides a useful measure However, the data collection process is time-consuming Furthermore, characterizing the data is difficult Nonetheless, the results shown here are encouraging More work is needed!

12 Andy Ozment, University of Cambridge 12 Questions? Andy Ozment Computer Security Group Computer Laboratory University of Cambridge

13 Andy Ozment, University of Cambridge 13 Number of vulnerabilities identified per year Perspective1998199920002001 ½ of 2002 Total Treated as failures1917 13268 Treated as flaws24182213279

14 Andy Ozment, University of Cambridge 14 Successful applicability results for models applied to the failure-perspective data: Statistic Musa’s Logarithmic Geometric Littlewood/Verrall Linear Prequential Likelihood 148.35(1)150.23(2)150.50(3) Bias (u-plot)0.12(1)0.13(2)0.18(3) Noise0.31(1)2.39(2)2.44(3) Trend (y-plot)0.20(3)0.18(2)0.14(3)

15 Andy Ozment, University of Cambridge 15 Estimates Made by Successful Models Statistic Musa’s Logarithmic Geometric Littlewood/Verrall Linear Initial Intensity Function 0.0590.0620.066 Current Intensity Function 0.0310.030 Purification Level0.5840.505N/A Current MTTF42.533.133.8

Download ppt "Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University."

Similar presentations

Topics to be discussed Introduction Performance Factors Methodology Test Process Tools Conclusion Abu Bakr Siddiq.

Topics to be discussed Introduction Performance Factors Methodology Test Process Tools Conclusion Abu Bakr Siddiq.
Predictive Data Modeling A CASE STUDY FOR DATA MODELING.

Predictive Data Modeling A CASE STUDY FOR DATA MODELING.
Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.
1. Profile Decision-making and risk assessment under uncertainty Special expertise on software project risk assessment Novel applications of causal models.

1. Profile Decision-making and risk assessment under uncertainty Special expertise on software project risk assessment Novel applications of causal models.
P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.
CSE 322: Software Reliability Engineering Topics covered: Techniques for prediction.

CSE 322: Software Reliability Engineering Topics covered: Techniques for prediction.
Economic Perspectives in Test Automation: Balancing Automated and Manual Testing with Opportunity Cost Paper By – Rudolf Ramler and Klaus Wolfmaier Presented.

Economic Perspectives in Test Automation: Balancing Automated and Manual Testing with Opportunity Cost Paper By – Rudolf Ramler and Klaus Wolfmaier Presented.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Paper Title Your Name CMSC 838 Presentation. CMSC 838T – Presentation Motivation u Problem paper is trying to solve  Characteristics of problem  … u.

Paper Title Your Name CMSC 838 Presentation. CMSC 838T – Presentation Motivation u Problem paper is trying to solve  Characteristics of problem  … u.
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
A GOAL-BASED FRAMEWORK FOR SOFTWARE MEASUREMENT

A GOAL-BASED FRAMEWORK FOR SOFTWARE MEASUREMENT
Swami NatarajanJune 17, 2015 RIT Software Engineering Reliability Engineering.

Swami NatarajanJune 17, 2015 RIT Software Engineering Reliability Engineering.
SE 450 Software Processes & Product Metrics Reliability Engineering.

SE 450 Software Processes & Product Metrics Reliability Engineering.
SIGDIG – Signal Discrimination for Condition Monitoring A system for condition analysis and monitoring of industrial signals Collaborative research effort.

SIGDIG – Signal Discrimination for Condition Monitoring A system for condition analysis and monitoring of industrial signals Collaborative research effort.
Lecturer: Dr. AJ Bieszczad Chapter 1312-1 Predictive accuracy Predictions are biased when they are consistently different from the actual value. Predictions.

Lecturer: Dr. AJ Bieszczad Chapter Predictive accuracy Predictions are biased when they are consistently different from the actual value. Predictions.
CS 325: Software Engineering March 26, 2015 Software Quality Assurance Software Metrics Defect Injection Software Quality Lifecycle Measuring Progress.

CS 325: Software Engineering March 26, 2015 Software Quality Assurance Software Metrics Defect Injection Software Quality Lifecycle Measuring Progress.
University of Southern California Center for Software Engineering CSE USC ©USC-CSE 3/11/2002 Empirical Methods for Benchmarking High Dependability The.

University of Southern California Center for Software Engineering CSE USC ©USC-CSE 3/11/2002 Empirical Methods for Benchmarking High Dependability The.
Software Process and Product Metrics

Software Process and Product Metrics
1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

Similar presentations

Ads by Google