Title :
Towards a Bayesian Approach in Modeling the Disclosure of Unique Security Faults in Open Source Projects
Author :
Anbalagan, Prasanth ; Vouk, Mladen
Author_Institution :
Dept. of Comput. Sci., North Carolina State Univ., Raleigh, NC, USA
Abstract :
Software security has both an objective and a subjective component. A lot of the information available about that today is focused on the security vulnerabilities and their disclosure. It is less frequent that security breaches and failures rates are reported, even in open source projects. Disclosure of security problems can take several forms. A disclosure can be accompanied by a release of the fix for the problem, or not. The latter category can be further divided into ”voluntary” and ”involuntary” security issues. In widely used software there is also considerable variability in the operational profile under which the software is used. This profile is further modified by attacks on the software that may be triggered by security disclosures. Therefore a comprehensive model of software security qualities of a product needs to incorporate both objective measures, such as security problem disclosure, repair and, failure rates, as well as less objective metrics such as implied variability in the operational profile, influence of attacks, and subjective impressions of exposure and severity of the problems, etc. We show how a classical Bayesian model can be adapted for use in the security context. The model is discussed and assessed using data from three open source software projects. Our results show that the model is suitable for use with a certain subset of disclosed security faults, but that additional work will be needed to identify appropriate shape and scaling functions that would accurately reflect end-user perceptions associated with security problems.
Keywords :
belief networks; public domain software; security of data; software reliability; Bayesian approach; end user perception; involuntary security issue; open source project; scaling function; security breach; security context; security vulnerability; software security; unique security fault; voluntary security issue; Adaptation model; Bayesian methods; Context modeling; Fires; Maintenance engineering; Security; Software; open-source; security; software reliability;
Conference_Titel :
Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on
Conference_Location :
San Jose, CA
Print_ISBN :
978-1-4244-9056-1
Electronic_ISBN :
1071-9458
DOI :
10.1109/ISSRE.2010.48