Title: Covariate Software Vulnerability Discovery Model to Support Cybersecurity Test & Evaluation
Abstract: Vulnerability discovery models (VDM) have been proposed as an application of software reliability growth models (SRGM) to software security related defects. VDM model the number of vulnerabilities discovered as a function of testing time, enabling quantitative measures of security. Despite their obvious utility, past VDM have been limited to parametric forms that do not consider the multiple activities software testers undertake in order to identify vulnerabilities. In contrast, covariate SRGM characterize the software defect discovery process in terms of one or more test activities. However, data sets documenting multiple security testing activities suitable for application of covariate models are not readily available in the open literature.
To demonstrate the applicability of covariate SRGM to vulnerability discovery, this research identified a web application to target as well as multiple tools and techniques to test for vulnerabilities. The time dedicated to each test activity and the corresponding number of unique vulnerabilities discovered were documented and prepared in a format suitable for application of covariate SRGM. Analysis and prediction were then performed and compared with a flexible VDM without covariates, namely the Alhazmi-Malaiya Logistic Model (AML). Our results indicate that covariate VDM significantly outperformed the AML model on predictive and information theoretic measures of goodness of fit, suggesting that covariate VDM are a suitable and effective method to predict the results of applying specific vulnerability discovery tools and techniques.
Bio: Lance Fiondella is an associate professor in the Department of Electrical & Computer Engineering at the University of Massachusetts Dartmouth and the Founding Director of the University of Massachusetts Dartmouth Cybersecurity Center, A NSA/DHS designated Center of Academic Excellence in Cyber Research (CAE-R). He received his PhD (2012) in Computer Science & Engineering from the University of Connecticut. Dr. Fiondella has published over 150 peer-reviewed journal articles and conference papers. His research has been funded by the United States Department of Homeland Security, U.S. Army Research Laboratory, U.S. Military Academy, U.S. Army Engineer Research and Development Center, Naval Air Systems Command, Naval Sea Systems Command, Department of the Air Force, National Aeronautics and Space Administration, and National Science Foundation, including a CAREER award.