Sciweavers

ESSOS
2009
Springer

Toward Non-security Failures as a Predictor of Security Faults and Failures

14 years 6 months ago
Toward Non-security Failures as a Predictor of Security Faults and Failures
In the search for metrics that can predict the presence of vulnerabilities early in the software life cycle, there may be some benefit to choosing metrics from the non-security realm. We analyzed non-security and security failure data reported for the year 2007 of a Cisco software system. We used non-security failure reports as input variables into a classification and regression tree (CART) model to determine the probability that a component will have at least one vulnerability. Using CART, we ranked all of the system components in descending order of their probabilities and found that 57% of the vulnerable components were in the top nine percent of the total component ranking, but with a 48% false positive rate. The results indicate that nonsecurity failures can be used as one of the input variables for security-related prediction models.
Michael Gegick, Pete Rotella, Laurie Williams
Added 19 May 2010
Updated 19 May 2010
Type Conference
Year 2009
Where ESSOS
Authors Michael Gegick, Pete Rotella, Laurie Williams
Comments (0)