Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library


Predicting Software Assurance Using Quality and Reliability Measures

  • “The combination of good quality practices and a focus on defect removal as well as the vulnerability tracking tools, gives you the best approach that we’ve seen. We have seen five or six specific cases where this strategy has produced really outstanding results.”
  • Listen

    Loading Podcast.....
  • Related

    Technical Note | Predicting Software Assurance Using Quality and Reliability Measures

  • Abstract

    Security vulnerabilities are defects that enable an external party to compromise a system. Our research indicates that improving software quality by reducing the number of errors also reduces the number of vulnerabilities and hence improves software security. Some portion of security vulnerabilities (maybe over half of them) are also quality defects. Can quality defect models that predict quality results be applied to security to predict security results? Simple defect models focus on an enumeration of development errors after they have occurred and do not relate directly to operational security vulnerabilities, except when the cause is quality related. In this podcast, Carol Woody and Bill Nichols discuss how a combination of software development and quality techniques can improve software security.

  • Audio
  • Transcript

About the Speaker

  • William Nichols

    Bill Nichols joined the SEI in 2006 and served as a Personal Software Process (PSP) instructor and Team Software Process (TSP) coach. His current focus is on performance data and data-driven analysis of the software development process. Prior to joining the SEI, Nichols led a software development team at the Bettis Laboratory near Pittsburgh, where he had been developing and maintaining nuclear engineering and scientific software for 14 years.

  • Carol Woody

    Carol Woody has been a senior member of the technical staff since 2001 and is the technical manager of the Cybersecurity Engineering Team, whose research focuses on security and software assurance for highly complex networked systems throughout the development and acquisition lifecycles.