search menu icon-carat-right cmu-wordmark

Data-Driven Software Assurance: A Research Study

Technical Report
In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division. A research project was launched to investigate design-related vulnerabilities and quantify their effects.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2014-TR-010
DOI (Digital Object Identifier)
10.1184/R1/6572891.v1

Abstract

Software vulnerabilities are defects or weaknesses in a software system that if exploited can lead to compromise of the control of a system or the information it contains. The problem of vulnerabilities in fielded software is pervasive and serious. In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division and determined that a large number of significant and pernicious software vulnerabilities likely had their origins early in the software development life cycle, in the requirements and design phases.

A research project was launched to investigate design-related vulnerabilities and quantify their effects. The Data-Driven Software Assurance project examined the origins of design vulnerabilities, their mitigations, and the resulting economic implications. Stage 1 of the project included three phases: 1) conduct of a mapping study and literature review, 2) conduct of detailed vulnerability analyses, and 3) development of an initial economic model.

The results of Stage 1 indicate that a broader initial focus on secure design yields substantial benefits to both the developer and operational communities and point to ways to intervene in the software development life cycle (or operations) to mitigate vulnerabilities and their impacts. This report describes Stage 1 activities and outlines plans for follow-on work in Stage 2.

Cite This Technical Report

Konrad, M., Manion, A., Moore, A., Mullaney, J., Nichols, B., Orlando, M., & Harper, E. (2014, May 9). Data-Driven Software Assurance: A Research Study. (Technical Report CMU/SEI-2014-TR-010). Retrieved February 23, 2024, from https://doi.org/10.1184/R1/6572891.v1.

@techreport{konrad_2014,
author={Konrad, Michael and Manion, Art and Moore, Andrew and Mullaney, Julia and Nichols, Bill and Orlando, Michael and Harper, Erin},
title={Data-Driven Software Assurance: A Research Study},
month={May},
year={2014},
number={CMU/SEI-2014-TR-010},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6572891.v1},
note={Accessed: 2024-Feb-23}
}

Konrad, Michael, Art Manion, Andrew Moore, Julia Mullaney, Bill Nichols, Michael Orlando, and Erin Harper. "Data-Driven Software Assurance: A Research Study." (CMU/SEI-2014-TR-010). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, May 9, 2014. https://doi.org/10.1184/R1/6572891.v1.

M. Konrad, A. Manion, A. Moore, J. Mullaney, B. Nichols, M. Orlando, and E. Harper, "Data-Driven Software Assurance: A Research Study," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2014-TR-010, 9-May-2014 [Online]. Available: https://doi.org/10.1184/R1/6572891.v1. [Accessed: 23-Feb-2024].

Konrad, Michael, Art Manion, Andrew Moore, Julia Mullaney, Bill Nichols, Michael Orlando, and Erin Harper. "Data-Driven Software Assurance: A Research Study." (Technical Report CMU/SEI-2014-TR-010). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 9 May. 2014. https://doi.org/10.1184/R1/6572891.v1. Accessed 23 Feb. 2024.

Konrad, Michael; Manion, Art; Moore, Andrew; Mullaney, Julia; Nichols, Bill; Orlando, Michael; & Harper, Erin. Data-Driven Software Assurance: A Research Study. CMU/SEI-2014-TR-010. Software Engineering Institute. 2014. https://doi.org/10.1184/R1/6572891.v1