Information Technology Reference
In-Depth Information
The conditional distribution for the number of defects in a software release given a
defect discovery T units of time since the last discovery is
n
β
−
β
Pn defects
(_
)
=
e
(8)
β
n
!
Suppose the defect discovery (decay) constant is
α
and
β
is the a priori expected
number of defects (code size/lines of code per defect). If we observe defects at time
intervals of
T
1
, T
2
, …, T
k
, then the conditional distribution of remaining defects is
Poisson:
−+++
α
(
TT
...
T
)
n
(
β
e
)
(
)
12
k
−+++
α
(
TT
...
T
k
)
−
β
e
12
P
n
=
e
(9)
defects
−+++
α
(
TT
...
T
k
)
(
β
e
12
)
n
!
This is the a priori expected number of defects scaled by the decay factor of the
exponential discovery model.
As new releases to the software are made, the distribution of defects remains Pois-
son with the expected number of defects being the number remaining from the last
release,
γ
plus those introduced,
β
, by the independent introduction of new
functionality.
−+
(
βγ
)
n
e
Pn
(
βγ
+
)
)
[]
(10)
=
(
βγ
+
n
!
It is thus possible to observe the time that elapses since the last discovery of a vul-
nerability. This value is dependent upon the number of vulnerabilities in the system
and the number of users of the software. The more vulnerabilities, the faster the dis-
covery rate of flaws. Likewise, the more users of the software, the faster the existing
vulnerabilities are found (through both formal and adverse discovery).
4 Conclusion
To represent the effect of security expenditure in minimizing bugs against investment
over time and the result as expected returns (or profit) we see that there are expenditure
inflection points. What we see is that spending too much on security has a limiting func-
tion on profit. Also too little expenditure has a negative effect on profit as the cost of
discovering bugs post release increases. This is where risk analysis comes into its own.
The idea is to choose an optimal expenditure on security that limits the losses. Money
should be spent on security until that last dollar returns at least a dollar in mitigated
expected loss. Once the expenditure of a dollar returns less than a dollar, the incremental
investment is wasted. Here, the software coder has to optimize the testing process.
Modeling and understanding program risks is essential if we are to minimize risk
and create better code. It was clear from this study that organizational coding ex-
presses a far higher rate of bugs per line of code than is expressed in specialized soft-
ware companies. Insufficient testing is being conducted in many companies who have
in-house coding teams. This is leading to higher costs and lower overall security.
The goal for any coding team should be how many lines of good code are pro-
duced, not how many lines of code are written and then sent to be fixed.
Search WWH ::
Custom Search