Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Slides:

Advertisements

Similar presentations

Topics to be discussed Introduction Performance Factors Methodology Test Process Tools Conclusion Abu Bakr Siddiq.

Advertisements

Predictive Data Modeling A CASE STUDY FOR DATA MODELING.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

1. Profile Decision-making and risk assessment under uncertainty Special expertise on software project risk assessment Novel applications of causal models.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

CSE 322: Software Reliability Engineering Topics covered: Techniques for prediction.

Economic Perspectives in Test Automation: Balancing Automated and Manual Testing with Opportunity Cost Paper By – Rudolf Ramler and Klaus Wolfmaier Presented.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Paper Title Your Name CMSC 838 Presentation. CMSC 838T – Presentation Motivation u Problem paper is trying to solve  Characteristics of problem  … u.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

A GOAL-BASED FRAMEWORK FOR SOFTWARE MEASUREMENT

Swami NatarajanJune 17, 2015 RIT Software Engineering Reliability Engineering.

SE 450 Software Processes & Product Metrics Reliability Engineering.

SIGDIG – Signal Discrimination for Condition Monitoring A system for condition analysis and monitoring of industrial signals Collaborative research effort.

Lecturer: Dr. AJ Bieszczad Chapter Predictive accuracy Predictions are biased when they are consistently different from the actual value. Predictions.

CS 325: Software Engineering March 26, 2015 Software Quality Assurance Software Metrics Defect Injection Software Quality Lifecycle Measuring Progress.

University of Southern California Center for Software Engineering CSE USC ©USC-CSE 3/11/2002 Empirical Methods for Benchmarking High Dependability The.

Software Process and Product Metrics

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 Prediction of Software Reliability Using Neural Network and Fuzzy Logic Professor David Rine Seminar Notes.

Software Reliability Growth. Three Questions Frequently Asked Just Prior to Release 1.Is this version of software ready for release (however “ready” is.

1 Forecasting Field Defect Rates Using a Combined Time-based and Metrics-based Approach: a Case Study of OpenBSD Paul Luo Li Jim Herbsleb Mary Shaw Carnegie.

Achieving Better Reliability With Software Reliability Engineering Russel D’Souza Russel D’Souza.

Implementation of HUBzero as a Knowledge Management System in a Large Organization HUBBUB Conference 2012 September 24 th, 2012 Gaurav Nanda, Jonathan.

IV&V Facility 1 Software Reliability Corroboration Bojan Cukic, Erdogan Gunel, Harshinder Singh, Lan Guo West Virginia University Carol Smidts University.

Moving into Design SYSTEMS ANALYSIS AND DESIGN, 6 TH EDITION DENNIS, WIXOM, AND ROTH © 2015 JOHN WILEY & SONS. ALL RIGHTS RESERVED. 1 Roberta M. Roth.

Managing Software Projects Analysis and Evaluation of Data - Reliable, Accurate, and Valid Data - Distribution of Data - Centrality and Dispersion - Data.

Software Reliability SEG3202 N. El Kadri.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Software Engineering Software Process and Project Metrics.

 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.

™ ™ © 2006, KDM Analytics Software Assurance Ecosystem and its Applications Djenana Campara Chief Executive Officer, KDM Analytics Board Director, Object.

Configuration Management (CM)

Software Measurement & Metrics

Software Project Management With Usage of Metrics Candaş BOZKURT - Tekin MENTEŞ Delta Aerospace May 21, 2004.

Software Engineering Saeed Akhtar The University of Lahore Lecture 8 Originally shared for: mashhoood.webs.com.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

1 Software Reliability Assurance for Real-time Systems Joel Henry, Ph.D. University of Montana NASA Software Assurance Symposium September 4, 2002.

1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

University of Southern California Center for Systems and Software Engineering Metrics Organizational Guidelines [1] ©USC-CSSE1 [1] Robert Grady, Practical.

Achieving High Software Reliability Using a Faster, Easier and Cheaper Method NASA OSMA SAS '01 September 5-7, 2001 Taghi M. Khoshgoftaar The Software.

CHAPTER 12 Descriptive, Program Evaluation, and Advanced Methods.

Copyright  2003 by Dr. Gallimore, Wright State University Department of Biomedical, Industrial Engineering & Human Factors Engineering Human Factors Research.

Cloud Computing Project By:Jessica, Fadiah, and Bill.

CEN st Lecture CEN 4021 Software Engineering II Instructor: Masoud Sadjadi Monitoring (POMA)

Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.

Introduction to Measurement. According to Lord Kelvin “When you can measure what you are speaking about and express it in numbers, you know something.

CSCE 201 Secure Software Development Best Practices.

CHAPTER OVERVIEW Say Hello to Inferential Statistics The Idea of Statistical Significance Significance Versus Meaningfulness Meta-analysis.

+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas.

1 Chapter 12 Configuration management This chapter is extracted from Sommerville’s slides. Text book chapter 29 1.

Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.

Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008.

Sales Forecasting Sunday 17th, 2016.

Big Data Quality Panel Norman Paton University of Manchester.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

Systems Analysis Lecture 5 Requirements Investigation and Analysis 1 BTEC HNC Systems Support Castle College 2007/8.

Computer Science / Risk Management and Risk Assessment Nathan Singleton.

Security in Opened versus Closed Systems – The Dance of Boltzmann, Coase and Moore Presented By Chad Frommeyer.

Chapter 8 Introducing Inferential Statistics.

BANKING INFORMATION SYSTEMS

Applications of Data Mining in Software Engineering

Software Reliability Models.

TRUST:Team for Research in Ubiquitous Secure Technologies

Chapter 13 Quality Management

Metrics Organizational Guidelines [1]

Chapter 2: Development process and organizations

Presentation transcript:

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University of Cambridge First Workshop on Quality of Protection Milan, Italy September 15, 2005

Andy Ozment, University of Cambridge 2 Overview Reasons to measure software security Security growth modeling: using reliability growth models on a carefully collected data set Data collection process Data characterization challenges: failure vs. fault The problem of normalization Results of the analysis Future directions

Andy Ozment, University of Cambridge 3 Motivation Reduce the Market for Lemons effect –Info asymmetry in the market results in universally lower quality Security return on investment (ROI) –E.g. ROI for MS after it’s 2002 efforts Evaluate different software development methodologies Metrics needed for risk measurement and insurance We need a means of measuring software security –Ideal measure: $€£¥ –Goal: both absolute & relative measure

Andy Ozment, University of Cambridge 4 Security Growth Modeling Utilize software reliability growth modeling to consider security Problems –Data collection for faults is easier and more institutionalized –Hackers like abnormal data –Normalizing time data for effort, skill, etc. Previous work –Eric Rescorla: “Is finding security holes a good idea?” –Andy Ozment: “The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting” –5 th Workshop on Economics & Information Security (WEIS 2005)

Andy Ozment, University of Cambridge 5 Data Collection OpenBSD 2.2, December 1997 Vulnerabilities obtained from ICAT, Bugtraq, OSVDB, and ISS Search through source code –Identify ‘death date,’ when vulnerability was fixed –Identify ‘birth date,’ when vulnerability was first written Group vulnerabilities according to the version in which they were introduced

Andy Ozment, University of Cambridge 6 Data Characterization Problems Inclusion –Localizations –Specific hardware –Default install not vulnerable –Broad definition of vulnerability Uniqueness –Bundle patch from third-party –Simultaneous discovery of multiple related flaws Decided to try two perspectives –Failure: bundles & related were consolidated –Flaw: bundles & related were broken down into individual vulns

Andy Ozment, University of Cambridge 7 Data Normalization Normalize time data for effort, skill, holidays, etc. Not possible with this data This analysis of non-normalized data: ‘real-world security’ –Small business owner –Concerned with automated exploits An analysis of normalized data: ‘true security’ –Necessary for ROI, assessing development practices, etc. –Of concern to governments & high-value targets that may be the subject of custom attacks

Andy Ozment, University of Cambridge 8 Applying the Models Used SMERFS reliability modeling tool to test 7 models Analyzed both failure- and fault-perspective data sets –Failure data points:68 –Flaw data points:79 Models were tested for predictive accuracy –Bias (u-plots) –Trend (y-plots) –Noise No models were successful for flaw-perspective data Three models were successful for failure-perspective data. Most accurate successful model: Musa’s Logarithmic –Purification level (% of total vulns that have been found): 58.4% –After 54 months,the MTTF is: 42.5 days

Andy Ozment, University of Cambridge 9

10 Future Research Normalize the data for relative numbers Examine the return on investment for a particular situation Utilize more sophisticated modeling techniques –E.g. recalibrating models Combine vulnerability analysis with traditional software metrics Compare this program with another

Andy Ozment, University of Cambridge 11 Conclusion Software engineers need a means of measuring software security Security growth modeling provides a useful measure However, the data collection process is time-consuming Furthermore, characterizing the data is difficult Nonetheless, the results shown here are encouraging More work is needed!

Andy Ozment, University of Cambridge 12 Questions? Andy Ozment Computer Security Group Computer Laboratory University of Cambridge

Andy Ozment, University of Cambridge 13 Number of vulnerabilities identified per year Perspective ½ of 2002 Total Treated as failures Treated as flaws

Andy Ozment, University of Cambridge 14 Successful applicability results for models applied to the failure-perspective data: Statistic Musa’s Logarithmic Geometric Littlewood/Verrall Linear Prequential Likelihood (1)150.23(2)150.50(3) Bias (u-plot)0.12(1)0.13(2)0.18(3) Noise0.31(1)2.39(2)2.44(3) Trend (y-plot)0.20(3)0.18(2)0.14(3)

Andy Ozment, University of Cambridge 15 Estimates Made by Successful Models Statistic Musa’s Logarithmic Geometric Littlewood/Verrall Linear Initial Intensity Function Current Intensity Function Purification Level N/A Current MTTF