Covariate Software Vulnerability Discovery Model to Support Cybersecurity Test & Evaluation

10:30-11:30 April 25 2024 WWH 335. Vulnerability discovery models (VDM) have been proposed as an application of software reliability growth models (SRGM) to software security-related defects. VDM model the number of vulnerabilities discovered as a function of testing time, enabling quantitative measures of security. Despite their obvious utility, past VDM have been limited to parametric forms that do not consider the multiple activities software testers undertake in order to identify vulnerabilities. In contrast, covariate SRGM characterize the software defect discovery process in terms of one or more test activities. However, data sets documenting multiple security testing activities suitable for the application of covariate models are not readily available in the open literature.

To demonstrate the applicability of covariate SRGM to vulnerability discovery, this research identified a web application to target as well as multiple tools and techniques to test for vulnerabilities. The time dedicated to each test activity and the corresponding number of unique vulnerabilities discovered were documented and prepared in a format suitable for the application of covariate SRGM. Analysis and prediction were then performed and compared with a flexible VDM without covariates, namely the Alhazmi-Malaiya Logistic Model (AML). Our results indicate that covariate VDM significantly outperformed the AML model on predictive and information-theoretic measures of goodness of fit, suggesting that covariate VDM are a suitable and effective method to predict the impact of applying specific vulnerability discovery tools and techniques.

Biography

Lance Fiondella is an associate professor in the Department of Electrical & Computer Engineering at the University of Massachusetts Dartmouth and the Founding Director of the University of Massachusetts Dartmouth Cybersecurity Center, A NSA/DHS designated Center of Academic Excellence in Cyber Research (CAE-R). He received his PhD (2012) in Computer Science & Engineering from the University of Connecticut. Dr. Fiondella has published over 160 peer-reviewed journal articles and conference papers, fourteen of which have been recognized with awards, including five as first author and eight with a major advisee. His research has been funded by DHS, ARL, USMA, ERDC, NAVAIR, NAVSEA, Air Force, NASA, and NSF, including a CAREER award as well as a $3.5 million dollar NSF CyberCorps(R) Scholarship for Service (SFS) project. Dr. Fiondella has also held various visiting and honorary appointments with U.S. Government Laboratories and Federally Funded Research & Development Centers.