Skip to main content

Advertisement

Springer Nature Link
Log in
Menu
Find a journal Publish with us Track your research
Search
Saved research
Cart
  1. Home
  2. Data and Applications Security XIX
  3. Conference paper

Security Vulnerabilities in Software Systems: A Quantitative Perspective

  • Conference paper
  • pp 281–294
  • Cite this conference paper
Save conference paper
View saved research
Data and Applications Security XIX (DBSec 2005)
Security Vulnerabilities in Software Systems: A Quantitative Perspective
  • Omar Alhazmi17,
  • Yashwant Malaiya17 &
  • Indrajit Ray17 

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 3654))

Included in the following conference series:

  • IFIP Annual Conference on Data and Applications Security and Privacy

  • 3469 Accesses

  • 53 Citations

Abstract

Security and reliability are important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. In this work we examine the feasibility of quantitatively characterizing some aspects of security.In particular, we investigate if it is possible to predict the number of vulnerabilities that can potentially be identified in a future release of a software system. We use several major operating systems as representatives of complex software systems. The data on vulnerabilities discovered in some of the popular operating systems is analyzed. We examine this data to determine if the density of vulnerabilities in a program is a useful measure. We try to identify what fraction of software defects are security related, i.e., are vulnerabilities. We examine the dynamics of vulnerability discovery hypothesizing that it may lead us to an estimate of the magnitude of the undiscovered vulnerabilities still present in the system. We consider the vulnerability-discovery rate to see if models can be developed to project future trends. Finally, we use the data for both commercial and open-source systems to determine whether the key observations are generally applicable. Our results indicate that the values of vulnerability densities fall within a range of values, just like the commonly used measure of defect density for general defects. Our examination also reveals that vulnerability discovery may be influenced by several factors including sharing of codes between successive versions of a software system.

Download to read the full chapter text

Chapter PDF

Similar content being viewed by others

Protection of software against various attacks: issues and challenges

Article 19 December 2016

Vulnerability Discovery Analysis in Software Reliability and Related Optimization Problems

Chapter © 2023

Visual Studio Vulnerabilities and Its Secure Software Development

Chapter © 2023

Explore related subjects

Discover the latest articles, books and news in related subjects, suggested using machine learning.
  • Data and Information Security
  • IT Security Awareness
  • Probability and Statistics in Computer Science
  • Principles and Models of Security
  • Security Science and Technology
  • System Robustness
  • Software Quality Assurance and Defect Prediction

References

  1. Schultz Jr., E.E., Brown, D.S., Longstaff, T.A.: Responding to Computer Security Incidents. In: Lawrence Livermore National Laboratory, July 23 (1990), ftp://ftp.cert.dfn.de/pub/docs/csir/ihg.ps.gz

  2. Lyu, M.R. (ed.): Handbook of Software Reliability Engineering. McGraw-Hill, New York (1995)

    Google Scholar 

  3. Musa, J.D., Ianino, A., Okumuto, K.: Software Reliability Measurement Prediction Application. McGraw-Hill, New York (1987)

    Google Scholar 

  4. Malaiya, Y.K., Denton, J.: What Do the Software Reliability Growth Model Parameters Represent? In: Proceedings IEEE International Symposium on Software Reliability Engineering, pp. 124–135 (1997)

    Google Scholar 

  5. Malaiya, Y.K., Denton, J.: Module Size Distribution and Defect Density. In: Proceedings IEEE International Symposium on Software Reliability Engineering, October 2000, pp. 62–71 (2000)

    Google Scholar 

  6. Mohagheghi, P., Conradi, R., Killi, O.M., Schwarz, H.: An Empirical Study of Software Reuse vs. Defect-Density. In: Proceedings 26th International Conference on Software Engineering 2004, May 2004, pp. 282–291 (2004)

    Google Scholar 

  7. Mockus, A., Fielding, R.T., Herbsleb, J.: Two Case Studies of Open Source Software Development: Apache and Mozilla. ACM Transactions Software Engineering and Methodology 11(3), 309–346 (2002)

    Article  Google Scholar 

  8. Littlewood, B., Brocklehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D.: Towards Operational Measures of Computer Security. Journal of Computer Security 2(2/3), 211–230 (1993)

    Article  Google Scholar 

  9. Brocklehurst, S., Littlewood, B., Olovsson, T., Jonsson, E.: On Measurement of Operational Security. In: Proceedings of 9th Annual IEEE Conference on Computer Assurance, Gaithersburg, pp. 257–266. IEEE Computer Society, Los Alamitos (1994)

    Google Scholar 

  10. Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of Vulnerability: A Case Study Analysis. IEEE Computer 33(12), 52–59 (2000)

    Article  Google Scholar 

  11. Browne, H.K., Arbaugh, W.A., McHugh, J., Fithen, W.L.: A Trend Analysis of Exploitation. Proceedings of IEEE Symposium on Security and Privacy 2001, 214–229 (2001)

    Google Scholar 

  12. Jonsson, E., Olovsson, T.: A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. IEEE Transactions on Software Engineering, 235–245 (1997)

    Google Scholar 

  13. Madan, B.B., Goseva-Popstojanova, K., Vaidyanathan, K., Trivedi, K.S.: Modeling and Quantification of Security Attributes of Software Systems. In: Proceedings of IEEE International Performance and Dependability Symposium (IPDS 2002) (June 2002)

    Google Scholar 

  14. Rescorla, E.: Is Finding Security Holes a Good Idea? In: Proceedings Third Annual Workshop on Economics and Information Security (WEIS 2004), May 2004, pp. 1–18 (2004), http://www.dtc.umn.edu/weis2004/rescorla.pdf

  15. Anderson, R.: Security in Open versus Closed Systems – The Dance of Boltzmann, Coase and Moore. In: Conf. on Open Source Software: Economics, Law and Policy, Toulouse, France, June 2002, pp. 1–15 (2002), http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf

  16. Alhazmi, O.H., Malaiya, Y.K.: Quantitative Vulnerability Assessment of Systems Software. In: Proceedings of International Symposium on Product Quality and Integrity (RAMS 2005), January 2005, pp.14D3.1-6 (2005)

    Google Scholar 

  17. Labs, O.: Security by the Numbers: The Need for Metrics in Application Security (2004), http://www.ouncelabs.com/library.asp

  18. ICAT Metabase (February 2004), http://icat.nist.gov/icat.cfm

  19. McGraw, G.: From the Ground Up: The DIMACS Software Security Workshop. IEEE Security and Privacy 1(2), 59–66 (2003)

    Article  MathSciNet  Google Scholar 

  20. Rodrigues, P.: Windows XP Beta 02. Only 106,500 Bugs (August 2001), http://www.lowendmac.com/tf/010401pf.html

  21. O.S. Data, Windows 98 (March 2004), http://www.osdata.com/oses/win98.htm , .

  22. The MITRE Corporation (February 2005), http://www.mitre.org

  23. Bugzilla, R.H.: (January 2005), https://bugzilla.redhat.com/bugzilla

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Colorado State University, Fort Collins, CO, 80523, USA

    Omar Alhazmi, Yashwant Malaiya & Indrajit Ray

Authors
  1. Omar Alhazmi
    View author publications

    Search author on:PubMed Google Scholar

  2. Yashwant Malaiya
    View author publications

    Search author on:PubMed Google Scholar

  3. Indrajit Ray
    View author publications

    Search author on:PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, 22030, Fairfax, VA, USA

    Sushil Jajodia  & Duminda Wijesekera  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2005 IFIP International Federation for Information Processing

About this paper

Cite this paper

Alhazmi, O., Malaiya, Y., Ray, I. (2005). Security Vulnerabilities in Software Systems: A Quantitative Perspective. In: Jajodia, S., Wijesekera, D. (eds) Data and Applications Security XIX. DBSec 2005. Lecture Notes in Computer Science, vol 3654. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11535706_21

Download citation

  • .RIS
  • .ENW
  • .BIB

  • DOI: https://doi.org/10.1007/11535706_21

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28138-2

  • Online ISBN: 978-3-540-31937-5

  • eBook Packages: Computer ScienceComputer Science (R0)Springer Nature Proceedings Computer Science

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Keywords

  • Defect Density
  • Software Reliability
  • Security Vulnerability
  • Quantitative Perspective
  • Software Reliability Growth Model

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Publish with us

Policies and ethics

Profiles

  1. Yashwant Malaiya View author profile

Search

Navigation

  • Find a journal
  • Publish with us
  • Track your research

Footer Navigation

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Journal finder
  • Publish your research
  • Language editing
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our brands

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Discover

Corporate Navigation

  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support
  • Legal notice
  • Cancel contracts here

162.0.217.198

Not affiliated

Springer Nature

© 2026 Springer Nature