Defining an adaptive software security metric from a dynamic software failure tolerance measure

23 December 2002

conference paper
Published by Institute of Electrical and Electronics Engineers (IEEE)

p. 250-263
https://doi.org/10.1109/cmpass.1996.507892

Abstract

This paper describes a software assessment method that is being implemented to quantitatively assess information system security and survivability. Our approach-which we call Adaptive Vulnerability Analysis-exercises software (in source-code form) by simulating incoming malicious and non-malicious attacks that fall under various threat classes. A quantitative metric is computed by determining whether the simulated threats undermine the security of the system as defined by the user according to the application program. This approach stands in contrast to common security assurance methods that rely on black-box techniques for testing completely-installed systems. AVA does not provide an absolute metric, such as mean-time-to-failure, but instead provides a relative metric, allowing a user to compare the security of different versions of the same system, or to compare non-related systems with similar functionality.

Keywords

This publication has 7 references indexed in Scilit:

Examining fault-tolerance using unlikely inputs: turning the test distribution up-side down
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Predicting software's minimum-time-to-hazard and mean-time-to-hazard for rare input events
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Predicting how badly "good" software can behave
IEEE Software, 1997
A taxonomy of computer program security flaws
ACM Computing Surveys, 1994
Extending mutation testing to find environmental bugs
Software: Practice and Experience, 1990
The internet worm program: an analysis
ACM SIGCOMM Computer Communication Review, 1989
Hints on Test Data Selection: Help for the Practicing Programmer
Computer, 1978