Publications
Publications 
The papers available here are for personal use only.
| Author | Title | Publication | Formats |
|---|---|---|---|
| G. McGraw | Eliminating badware addresses malware problem | SearchSecurity (May 2012) | HTML |
| G. McGraw | Gary McGraw on software security assurance: Build it in, build it right | SearchSecurity (April 2012) | HTML |
| G. McGraw, S. Migues | vBSIMM Take Two (BSIMM for Vendors Revised) | informIT (January 26, 2011) | HTML |
| G. McGraw, S. Migues | BSIMM versus SAFECode and Other Kaiju Cinema | informIT (December 26, 2011) | HTML |
| G. McGraw, B. Chess, S. Migues | Third-Party Software and Security | informIT (November 30, 2011) | HTML |
| G. McGraw, S. Migues | Software Security Training | informIT (October 31, 2011) | HTML |
| G. McGraw, B. Chess, S. Migues | BSIMM3 | informIT (September 27, 2011) | HTML |
| G. McGraw | Technology Transfer: A Software Security Marketplace Case Study | IEEE Software (September/October 2011) | |
| G. McGraw | Balancing All the Breaking with some Building | informIT (August 30, 2011) | HTML |
| A. Sood, Krishna Raja | Dissecting Java Server Faces for Penetration Testing | Cigital Labs | |
| G. McGraw | Software Security Zombies | informIT (July 21, 2011) | HTML |
| A. Sood, B. Gajbhiye | Design Flaws in IP Surveillance Cameras | Hakin9 (July 2011) | |
| G. McGraw, N. Fick | Separating the Threat from the Hype: What Washington Needs to Know About Cyber Security in AMERICA’S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND II | Center for a New Amercian Security (June 2011) | |
| G. McGraw | Computer Security and International Norms | informIT (May 30, 2011) | HTML |
| G. McGraw, S. Migues | vBSIMM (BSIMM for Vendors) | informIT (April 12, 2011) | HTML |
| G. McGraw | Modern Malware | informIT (March 22, 2011) | HTML |
| E. Wotring III, S. Migues | Ensuring Software Assurance Process Maturity | CrossTalk (March 2011) | HTML |
| G. McGraw | Software Patents and Fault Injection | informIT (February 28, 2011) | HTML |
| G. McGraw, J. Steven | Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal) | informIT (January 31, 2011) | HTML |
| G. McGraw, S. Migues | Driving Efficiency and Effectiveness in Software Security | informIT (December 29, 2010) | HTML |
| G. McGraw, I. Arce | Cyber Warmongering and Influence Peddling | informIT (November 24, 2010) | HTML |
| G. McGraw | Technology Transfer | informIT (October 26, 2010) | HTML |
| G. McGraw | How to p0wn a Control System with Stuxnet | informIT (September 23, 2010) | HTML |
| A. Sobel, G. McGraw | Interview: Software Security in the Real World | Computer (September 2010) | |
| G. McGraw | Software Security Crosses the Threshold | informIT (August 16, 2010) | HTML |
| G. McGraw | Obama Highlights Cyber Security Progress | informIT (July 16, 2010) | HTML |
| G. McGraw | Cyber War – Hype or Consequences? | informIT (June 17, 2010) | HTML |
| G. McGraw, B. Chess, S. Migues, E. Nichols | BSIMM2: Measuring the Emergence of a Software Security Community | informIT (May 12, 2010) | HTML |
| G. McGraw, I. Arce | Assume Nothing: Is Microsoft Forgetting a Crucial Security Lesson? | informIT (April 30, 2010) | HTML |
| G. McGraw | The Smart (Electric) Grid and Dumb Cybersecurity | informIT (March 26, 2010) | HTML |
| G. McGraw, B. Chess, S. Migues | What Works in Software Security | informIT (February 26, 2010) | HTML |
| G. McGraw | Cargo Cult Computer Security | informIT (January 28, 2010) | HTML |
| G. McGraw | Silver Bullet Talks with Christofer Hoff | IEEE Security & Privacy (January/February 2010) (PPV) | PDF HTML |
| G. McGraw | You Really Need a Software Security Group | informIT (December 21, 2009) | HTML |
| G. McGraw | BSIMM Europe | informIT (November 10, 2009) | HTML |
| J. Routh, G. McGraw | Lifestyle Hackers | CSO Online (November 2, 2009) | HTML |
| G. McGraw | Startup Lessons | informIT (October 22, 2009) | HTML |
| G. McGraw, S. Migues | BSIMM Begin | informIT (September 24, 2009) | HTML |
| G. McGraw | Attack Categories and History Prediction | informIT (August 25, 2009) | HTML |
| G. McGraw | Moving U.S. Cybersecurity Beyond Cyberplatitudes | informIT (July 16, 2009) | HTML |
| G. McGraw, J. Routh | Measuring Software Security | informIT (June 18, 2009) | HTML |
| G. McGraw | Securing Online Games: Safeguarding the Future of Software Security | IEEE Security & Privacy (May/June 2009) | |
| G. McGraw | Software Security Comes of Age | informIT (April 16, 2009) | HTML |
| G. McGraw | Twitter Security | informIT (May 15, 2009) | HTML |
| G. McGraw, B. Chess, S. Migues | The Building Security In Maturity Model (BSIMM) | informIT (March 16, 2009) | HTML |
| G. McGraw, B. Chess, S. Migues | Nine Things Everybody Does: Software Security Activities from the BSIMM | informIT (February 9, 2009) | HTML |
| G. McGraw | Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work | informIT (January 13, 2009) | HTML |
| G. McGraw | Software Security Top 10 Surprises | informIT (December 15, 2008) | HTML |
| M. Subbarao | EJB 3.1 – EJB New and Improved! | Javalobby (December 1, 2008) | HTML |
| G. McGraw | How Things Work: Automated Code Review Tools for Security | Computer (December 2008) | |
| G. McGraw | Web Applications and Software Security | informIT (November 14, 2008) | HTML |
| J. Steven | State of Application Assessment | IEEE Security & Privacy (Nov/Dec 2008) | |
| G. McGraw, B. Chess | A Software Security Framework: Working Towards a Realistic Maturity Model | informIT (October 15, 2008) | HTML |
| G. McGraw | Getting Past the Bug Parade | informIT (September 17, 2008) | HTML |
| G. McGraw | Software Security Demand Rising | informIT (August 11, 2008) | HTML |
| G. McGraw | Application Assessment as a Factory | informIT (July 17, 2008) | HTML |
| G. McGraw | Securing Web 3.0 | informIT (May 15, 2008) | HTML |
| G. McGraw | Paying for Secure Software | informIT (April 7, 2008) | HTML |
| G. McGraw | The Truth Behind Code Analysis | Dark Reading (February 13, 2008) | HTML |
| G. McGraw | Software Security Strategies | Dark Reading (January 9, 2008) | HTML |
| G. McGraw | Beyond the PCI Band-Aid | Dark Reading (December 10, 2007) | HTML |
| S. Gupta, J. Winstead | Using Attack Graphs to Design Systems | IEEE Security & Privacy (Nov/Dec 2007) | |
| G. McGraw | Online Games & the Law | Dark Reading (October 11, 2007) | HTML |
| G. McGraw | Mobile Insecurity | Dark Reading (September 14, 2007) | HTML |
| G. McGraw, G. Hoglund | Online Games and Security | IEEE Security & Privacy (Sep/Oct 2007) | |
| G. McGraw | The Ultimate Insider | Dark Reading (August 14, 2007) | HTML |
| G. McGraw | Consolidate This | Dark Reading (July 12, 2007) | HTML |
| G. McGraw | JSON, Ajax & Web 2.0 | Dark Reading (June 7, 2007) | HTML |
| G. McGraw | Certifiable | Dark Reading (May 9, 2007) | HTML |
| G. McGraw | Want Turns to Need | Dark Reading (April 20, 2007) | HTML |
| G. McGraw | Compliance As Kick-Starter | Dark Reading (March 12, 2007) | HTML |
| G. McGraw | Security’s Symbiosis | Dark Reading (February 27, 2007) | HTML |
| G. McGraw | Hurray for Hollywood!? | Dark Reading (January 12, 2007) | HTML |
| G. McGraw | Foxy Vista Henhouse | Dark Reading (December 11, 2006) | HTML |
| G. Petersen, J. Steven | Defining Misuse Within the Development Process | IEEE Security & Privacy (Nov/Dec 2006) | |
| G. McGraw | Boarding-Pass Brouhaha | Dark Reading (November 2, 2006) | HTML |
| G. McGraw | Diebold Disses Democracy | Dark Reading (October 9, 2006) | HTML |
| K. Van Wyk, J. Steven | Essential Factors for Successful Software Security Awareness Training | IEEE Security & Privacy (Sep/Oct 2006) | |
| G. McGraw | Keep Your Laws Off My Security | Dark Reading (September 7, 2006) | HTML |
| K. VanWyk, J. Steven | Essential Factors for Successful Software Security Awareness Training | IEEE Security & Privacy (Sep/Oct 2006) | |
| G. McGraw | Google is Evil | Dark Reading (August 4, 2006) | HTML |
| G. Peterson | Introduction to Identity Management Risk Metrics | IEEE Security & Privacy (Jul/Aug 2006) | |
| G. McGraw | If You Build It, They’ll Crash It | Dark Reading (July 7, 2006) | HTML |
| G. Petersen (ed. J. Steven) | Introduction to Identity Management Risk Metrics | IEEE Security & Privacy (Jul/Aug 2006) | |
| G. McGraw | As Security Problems Grow, Time for Software Assessment Is Now | SD Times (June 1, 2006) | HTML |
| E. Dalci, J. Steven | A framework for creating custom rules for static analysis tools | Static Analysis Summit at NIST (June 29, 2006) | |
| G. McGraw | Beyond the Badness-ometer | Dr. Dobbs (June 30, 2006) | HTML |
| G. McGraw | New Terrorist Profile: Phone Users | Dark Reading (June 13, 2006) | HTML |
| G. McGraw | Microsoft’s Missed Opportunity | Dark Reading (May 3, 2006) | HTML |
| P. Chandra, B. Chess, J. Steven | Putting the Tools to Work: How to Succeed with Source Code Analysis | IEEE Security & Privacy (May/Jun 2006) | |
| P. Chandra, B. Chess, J. Steven | Putting the Tools to Work: How to Succeed with Source Code Analysis | IEEE Security & Privacy (May/Jun 2006) | |
| G. McGraw | How Flawed is Microsoft? | IT Architect Magazine, March 1, 2006. | |
| J. Steven | Adopting an Enterprise Software Security Framework | IEEE Security & Privacy (Mar/Apr 2006) | |
| G. McGraw | Is Application Security Training Worth the Money? | IT Architect Magazine, February 1, 2006. | |
| G. McGraw | Is Sony BMG Run By Malicious Hackers? | IT Architect Magazine, January 1, 2006. | |
| J. Epstein, S. Matsuomoto, G. McGraw | Software Security and SOA: Danger, Will Robinson! | IEEE Security & Privacy (Jan/Feb 2006) | |
| G. McGraw | When Does Security Cross the Line? | IT Architect Magazine, December 1, 2005. | |
| G. McGraw | Is Security Really About Getting Nothing Done? | IT Architect Magazine, November 1, 2005. | |
| K. Tsipenyuk, B. Chess, G. McGraw | Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors | IEEE Security & Privacy (Nov/Dec 2005) | |
| G. McGraw | How Bad Is Intrusion Detection? | IT Architect Magazine, October 1, 2005. | |
| K.R. van Wyk, G. McGraw | Bridging the Gap Between Software Development and Information Security | IEEE Security & Privacy (Sep/Oct 2005) | |
| G. McGraw | Is Cisco Naked? | IT Architect Magazine, September 1, 2005. | |
| G. McGraw | Is VoIP Secure Enough For Prime Time? | IT Architect Magazine, August 1, 2005. | |
| G. McGraw | Is Penetration Testing a Good Idea? | Network Magazine, July 1, 2005. | |
| N.R. Mead and G. McGraw | A Portal for Software Security | IEEE Security & Privacy (Jul/Aug 2005) | |
| G. McGraw | Are Cell Phones the Next Target? | Network Magazine, June 1, 2005. | |
| G. McGraw | How Does Security Fit With Engineering? | Network Magazine, May 1, 2005. | |
| D. Taylor and G. McGraw | Adopting a Software Security Improvement Program | IEEE Security & Privacy (May/Jun 2005) | |
| G. McGraw | Is Your Mac Really More Secure? | Network Magazine, April 1, 2005. | |
| S. Barnum, G. McGraw | Knowledge for Software Security | IEEE Security & Privacy (Mar/Apr 2005) | |
| G. McGraw | Where Does Trust Come From? | Network Magazine, March 1, 2005. | |
| G. McGraw | Are We In a Computer Security Renaissance? | Network Magazine, February 1, 2005. | |
| G. McGraw | Innovative Rootkits: The Ultimate Weapon? | Network Magazine, January 1, 2005. | |
| B. Arkin, S. Stender, G. McGraw | Software Penetration Testing | IEEE Security & Privacy (Jan/Feb 2005) | |
| G. McGraw | How Do Real Bad Guys Break Software? | Network Magazine, December 1, 2004. | |
| B. Chess and G. McGraw | Static Analysis for Security | IEEE Security & Privacy (Nov/Dec 2004) | |
| G. McGraw | Application Security Testing Tools: Worth the Money? | Network Magazine, November 1, 2004. | |
| G. McGraw | Who Should Do Security? | Network Magazine, October 1, 2004. | |
| B. Potter and G. McGraw | Software Security Testing | IEEE Security & Privacy (Sep/Oct 2004) | |
| A. Young, M. Yung | A Subliminal Channel in Secret Block Ciphers | Selected Areas in Cryptography, August 9-10, 2004. | |
| D. Verdon, G. McGraw | Risk Analysis in Software Design | IEEE Security & Privacy (July/August 2004; pp. 32-37) (Building Security In) | |
| G. McGraw, G. Hoglund | Exploiting Software: The Achilles’ Heel of CyberDefense | CyberDefense Magazine (June 2004) | PDF HTML |
| P. Hope, G. McGraw, A. Anton | Misuse and Abuse Cases: Getting Past the Positive | IEEE Security & Privacy (May/Jun 2004) | |
| A. Young | Mitigating Insider Threats to RSA Key Generation | RSA Laboratories’ Cryptobytes (Spring 2004; Vol. 6, No. 1) | PS Word |
| G. McGraw, G. Hoglund | Dire Straits | Information Security (April 2004) | HTML |
| G. McGraw | Software Security | IEEE Security & Privacy (March/April 2004; Volume 2, Number 2, pp. 32-35) | |
| J. Payne | Regulation and Information Security: Can Y2K Lessons Help Us? | IEEE Security & Privacy (March/April 2004; Vol. 2, No. 2, pp. 32-35) (On the Horizon) | |
| G. McGraw, P. Hope, A. Anton | Misuse and Abuse Cases: Getting Past the Positive | IEEE Security & Privacy (March/April 2004; Vol. 2, No. 3, pp. 32-34) (Building Security In) | |
| G. McGraw, et al. | Processes to Produce Secure Software | National Cyber Security Summit | |
| A. Young, M. Yung | A Key Recovery System as Secure as Factoring | CT-RSA Conference, 2004. | |
| A. Young, M. Yung | Relationships Between Diffie-Hellman and Index Oracles | Fourth Conference on Security in Communication Networks ’04, 2004. | |
| J. Voas | Assessing Acquired Software via Software Fault Injection | Software Tech News (Vol. 6, No. 2, December 2003) | HTML |
| A. Young, M. Yung | Backdoor Attacks on Black-Box Ciphers Exploiting Low-Entropy Plaintexts | Eighth Australasian Conference on Information Security and Privacy (ACISP), Lecture Notes in Computer Science (LNCS), July 9-11, Springer-Verlag, 2003. | |
| A. Young | A Weakness in Smart-Card PKI Certification | Proceedings of the 4th Annual IEEE Information Assurance Workshop, June 18-20, United States Military Academy, West Point, New York, 2003. | |
| A. Young | Non-Zero Sum Games and Survivable Malware | Proceedings of the 4th Annual IEEE Information Assurance Workshop, June 18-20, United States Military Academy, West Point, New York, 2003. | |
| M. Weber, M. Schmid, D. Geyer, M. Schatz | A Toolkit for Detecting and Analyzing Malicious Software | Annual Computer Security Applications Conference (ACSAC’02), Las Vegas, NV, December, 2002. | |
| M. Schmid, F. Hill, A. Ghosh | Protecting Data from Malicious Software | Annual Computer Security Applications Conference (ACSAC’02), Las Vegas, NV, December, 2002. | |
| G. McGraw | Building Secure Software: Better than Protecting Bad Software | IEEE Software (November/December 2002; Vol. 19, No. 6, pp. 57-59) (Point/Counterpoint with Greg Hoglund) | |
| J. Steven | Putting Software Terminology To the Test | IEEE Software (May/June 2002) | |
| G. McGraw, J. Viega | Choosing a programming language and a distributed object platform | IBM developerWorks (Feb 1, 2002) | HTML |
| G. McGraw, J. Viega | Operating systems and authentication technologies | IBM developerWorks (Feb 1, 2002) | HTML |
| R. MacMichael | Seven Factors to Consider When Redesigning Your Site | IT Professional, July/August 2001. | HTML |
| J. Haddox, G. Kapfhammer, C. Michael, M. Schatz | Testing Commercial-off-the-Shelf Software Components | Proceedings of the 18th International Conference and Exposition on Testing. | Word |
| M. Schmid, J.T. Bloch, F. Hill, A. Ghosh | Controlling the Execution of Unauthorized Software | To appear in the Proceedings of the 2001 DARPA Information Survivability Conference & Exposition, June 2001, Anaheim, CA. | PS Word |
| A. Young, M. Yung | Bandwidth-Optimal Kleptographic Attacks | Cryptographic Hardware and Embedded Systems (CHES), 2001. | |
| A. Young, M. Yung | A PVSS as Hard as Discrete Log and Shareholder Separability | PKC 2001 (Public Key Crypto). | |
| M. Jakobsson, D. Pointcheval, A. Young | Secure mobile gambling | CT-RSA Conference 2001. | |
| G. McGraw, J. Viega | Protecting passwords: Part 2 | IBM developerWorks (September 2000) | HTML |
| G. McGraw, J. Viega | Protecting passwords: Part 1 | IBM developerWorks (August 2000) | HTML |
| G. McGraw, T. O’Connor | Make your software behave: Cryptography essentials | IBM developerWorks (July 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Tried and true encryption | IBM developerWorks (Jun 1, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Everything to hide | IBM developerWorks (May 18, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Software strategies | IBM developerWorks (May 2, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Beating the Bias: How to approach truly random number generation through hardware | IBM developerWorks (Apr 1, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Playing the numbers | IBM developerWorks (Apr 4, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: CGI programming made secure | IBM developerWorks (Mar 28, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: An anatomy of attack code | IBM developerWorks (Mar 21, 2000) | HTML |
| G. McGraw, J. Viega | Software security principles, Part 4: Keep it simple; keep it private | IBM developerWorks (December 2000) | HTML |
| G. McGraw, J. Viega | Software security principles, Part 5: On keeping secrets, trusting others, and following the crowd | IBM developerWorks (December 2000) | HTML |
| C. Michael, A. Ghosh | Two State-Based Approaches to Program-based Anomaly Detection | Proceedings of ACSAC 2000, December 2000. | PS |
| G. McGraw, J. Viega | Software security principles, Part 3: Controlling access: Least privilege and compartmentalization | IBM developerWorks (November 2000) | HTML |
| G. McGraw, J. Viega | Software security principles: Part 2: Defense in depth and secure failure | IBM developerWorks (November 2000) | HTML |
| A.K. Ghosh, M. Schmid | Execution Control Lists: An Approach to Defending Against New and Unknown Malicious Software | In Proceedings of the Information Survivability Workshop 2000, October 24-26, 2000, Boston, MA. | PS |
| G. McGraw, J. Viega | Software security for developers: One-time pads | IBM developerWorks (October 2000) | HTML |
| A.K. Ghosh, C.C. Michael, and M.A. Schatz | A Real-Time Intrusion Detection System Based on Learning Program Behavior | Recent Advances in Intrusion Detection; Third International Workshop, RAID 2000. | PS |
| G. McGraw, J. Viega | Software security principles: Part 1: The chain is only as strong as its weakest link | IBM developerWorks (October 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Security by obscurity | IBM developerWorks (October 2000) | HTML |
| G. McGraw, J. Viega | Statically Scanning Java Code: Finding Security Vulnerabilities | IEEE Software (September/October 2000) | |
| G. Kapfhammer, C. Michael, J. Haddox, R. Coyler | An Approach to Identifying and Understanding Problematic COTS Components | Presented at ISACC 2000, The Software Risk Management Conference. | PS |
| J. Kelsey, T. Kohno, B. Schneier | Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent | Seventh Fast Software Encryption Workshop, Springer-Verlag, April 10-12, 2000. | PS |
| J. Voas | Limited Software Warranties | To be presented at ECBS 2000, April 2000. | PS |
| T. Kohno, J. Kelsey, and B. Schneier | Preliminary Cryptanalysis of Reduced-Round Serpent | Third AES Candidate Conference, April 13-14, 2000. | PS |
| J. Voas | Deriving Accurate Operational Profiles for Mass-Marketed Software | Submitted to 4th International Conference on Empirical Assessment & Evaluation in Software (EASE 2000). | PS |
| G. McGraw, J. Viega | Make your software behave: Brass tacks and smash attacks | IBM developerWorks (Mar 14, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Preventing buffer overflows | IBM developerWorks (Mar 7, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Learning the basics of buffer overflows | IBM developerWorks (Mar 1, 2000) | HTML |
| G. McGraw, J. Viega | Make your software behave: Assuring your software is secure | IBM developerWorks (Feb 28, 2000) | HTML |
| M. Schmid, A.K. Ghosh, F. Hill | Techniques for Evaluating the Robustness of Windows NT Software | To appear in the 2000 DARPA Information Survivability Conference & Exposition (DISCEX’00), January 2000, Hilton Head, SC. | PDF Word |
| A. Young, M. Yung | Hash to the Rescue: Space Minimization for PKI Directories | ICISC 2000 (International Conf. on Info. Sec. and Crypto). | |
| J. Voas and J. Payne | Dependability Certification of Software Components | Journal of Systems and Software, 2000. | PS |
| A. Young, M. Yung | RSA Based Auto-Recoverable Cryptosystems | Proceedings of Public Key Cryptography (PKC), 2000. | |
| J. Voas | Can Chaotic Methods Actually Improve Software Quality Predictions? | IEEE Software, to appear in 2000. | PS |
| J. Voas | Third-Party Usage Profiling: A Model for Optimizing the Mass-Marketed Software Industry | Submitted to IEEE Software. | PS |
| A. Young, M. Yung | Towards Signature-Only Signature Schemes | Asiacrypt 2000. | |
| J. Voas | “User Participation”-Based Software Certification | To appear in IEEE Computer, early 2000. | PS Word |
| J. Voas | Software Fault Injection | IEEE Spectrum, to appear in 2000. | PS |
| A.K. Ghosh, M. Schmid | An Approach to Testing COTS Software for Robustness to Operating System Exceptions and Errors | To appear in the 1999 International Symposium on Software Reliability Engineering (ISSRE99), November 1-4, 1999, Boca Raton, FL. | PS |
| B. Arkin, F. Hill, S. Marks, M. Schmid, T.J. Walls, G. McGraw | How We Learned to Cheat in Online Poker: A Study in Software Security | Developer.Com, 09/28/99. | PDF HTML |
| G. McGraw, J. Viega | Making software behave | IBM developerWorks (Sep 28, 1999) | HTML |
| J. Voas | Software Malleability: We’re Losing It! | In the proceedings of the 2nd Annual Systems Engineering and Supportability Conference, September 1999, San Diego, CA. | |
| J. Voas, F. Charron | Predicting When to Reboot “Continuously Operating” Embedded Software | In proceedings of CONQUEST’99, September 1999, Nuremburg, Germany. | HTML |
| J. Voas | A Recipe for Certifying High Assurance Software | IEEE Software, July 1999. | PS |
| A. Ghosh, J. Voas | Inoculating Software for Survivability | Communications of the ACM, July 1999. | PS |
| J. Voas | This Decade’s Eight Greatest Myths About Software Quality | IEEE Software, July 1999. | PS |
| A. Ghosh, M. Schmid, F. Hill | Wrapping Windows NT Software for Robustness | To appear in Proceedings of the 29th International Fault Tolerant Computer Symposium (FTCS-29), June 15-18, 1999, Madison, WI. | PS |
| J. Voas | User Participation-Based Software Certification | In proceedings of Eurovav’99, Oslo, Norway, June 1999. | PS |
| J. Payne | Quality Meets the CEO | Software Testing & Quality Engineering, May/June 1999 (Vol. 1, Iss. 3) | |
| M. Schmid, F. Hill | Data Generation Techniques for Automated Software Robustness Testing | Sixteenth International Conference on Testing Computer Software (ICTCS’99) | PDF Word |
| J. Voas | A Government-Controlled United States Software/IT Industry? | IEEE Software, May 1999. | PS |
| G. McGraw, J. Viega | Why COTS Software Increases Security Risks | ICSE Workshop on Testing Distributed Component-Based Systems, May 1999. | PS |
| G. McGraw | Java 2 security and stack inspection | Gamelan.com, May 12, 1999. | HTML |
| G. McGraw | Software Assurance for Security | IEEE Computer 32(4), pages 103-105. April 1999. | PDF Word |
| A.K. Ghosh, A. Schwartzbard, M. Schatz | Learning Program Behavior Profiles for Intrusion Detection | To appear in Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, April 9-12, 1999, Santa Clara, CA. | PS |
| G. McGraw | Software Assurance for Security | IEEE Computer 32(4), pages 103-105. April 1999. | PDF Word |
| J. Voas | Disposable Information Systems: The Future of Software Maintenance? | Journal of Software Maintenance, March 1999. | PS |
| J. Voas | Can Critical Information Infrastructure Protection be Achieved with Untested Software? | IEEE Software, March 1999. | PS |
| J. Voas | Software Hazard Mining | For the IEEE Workshop on Application Specific Software Engineering and Technology (ASSET’99), March, 1999. Richardson, TX. | PS |
| A.K. Ghosh, A. Schwartzbard, M. Schatz | Using Program Behavior Profiles for Intrusion Detection | SANS Conference and Workshop on Intrusion Detection and Response, Technical Conference, Workshop on the State of the Art and Future Directions of Intrusion Detection and Response, February 12-13, San Diego, CA, pp. 1-20 — 1-26. | PS |
| J. Voas | Protecting Against What? The Achilles Heel of Information Assurance | IEEE Software, January 1999. | |
| A. Ghosh, F. Hill, M. Schmid | NetHose: A Tool for Finding Vulnerabilities in Network Stacks | Short talk at the 1999 IEEE Security and Privacy Symposium, Oakland, CA, 1999. | PS |
| A. Young, M. Yung | Auto-Recoverable Cryptosystems with Faster Initialization and the Escrow Hierarchy | Proceedings of Public Key Cryptography (PKC), 1999. | |
| J. Voas, L. Kassab | Using Assertions to Make Untestable Software More Testable | Software Quality Professional. | PS |
| T. Sander, A. Young, M. Yung | Non-Interactive CryptoComputing for NC1 | 40th Annual Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, pages 554-566, ’99. | |
| A. Young, M. Yung | Auto-Recoverable Auto-Certifiable Cryptosystems (a survey) | CQRE, Springer-Verlag, LNCS, 1999. | |
| J. Voas | Analyzing Software Sensitivity to Human Error | Failure and Lessons Learned in Information Technology Management – An International Journal 2(4), December, 1998. | PS |
| A.K. Ghosh, J. Wanken, F. Charron | Detecting Anomalous and Unknown Intrusions Against Programs | Proceedings of Annual Computer Security Applications Conference (ACSAC’98), December 7-11, 1998, Scottsdale, AZ. | PS |
| G. McGraw, E. Felten | Twelve Rules for Developing More Secure Java Code | Java World, December 1998. | HTML |
| G. McGraw, E. Felten | Third-Party Java Security Vendors: Solutions or Snake Oil? | Java Report, December 1998. | Word |
| A.K. Ghosh, M. Schmid, and V. Shah | Testing the Robustness of Windows NT Software | Experience report to appear in the International Symposium on Software Reliability Engineering (ISSRE’98), November 4-7, 1998, Paderborn, GE. | PS |
| A.K. Ghosh, M. Schmid | Wrapping Windows NT Binary Executables for Failure Simulation | Fast abstract to appear in the International Symposium on Software Reliability Engineering (ISSRE’98), November 4-7, 1998, Paderborn, GE. | PS |
| G. McGraw and E. Felten | Mobile Code Security | Editors, IEEE Internet Computing, November/December 1998. | HTML |
| J. Voas | Will Software Failures Halt the Availablility of Business Insurance? | International Symposium on Software Reliability Engineering (ISSRE’98), November 4-7, 1998, Paderborn, GE. | PS |
| J. Voas | The Software Quality Certification Triangle | Crosstalk, November, 1998. | PS HTML |
| A. Ghosh, V. Shah, M. Schmid | An Approach for Analyzing the Robustness of Windows NT Software | Proceedings of the 21st National Information Systems Security Conference, October 5-8, 1998, p. 383-391. Crystal City, VA. | PS |
| A. Ghosh, G. McGraw | An Approach for Certifying Security in Software Components | Proceedings of the 21st National Information Systems Security Conference, October 5-8, 1998, Crystal City, VA. | PS |
| G. McGraw and C. Michael | Automated Software Test Data Generation for Complex Programs | Proceedings of the 13th IEEE Automated Software Engineering Conference, October 13-16, 1998, Honolulu, Hawaii. | PS |
| G. McGraw, K. Sullivan | Massive Games of Artificial Life on the Internet: A Testbed for Research on Survivability Architectures | Proceedings of the Information Survivability Workshop, October 28-30 1998, Orlando, FL. | Word |
| J. Voas | Studying Behavior to Unlock the Truth About Quality | Cutter IT Journal, September, 1998 (Volume 11, Number 9), p. 7-11. | |
| G. McGraw | Privileged code in Java: Why the API changed from JDK1.2beta3 to JDK1.2beta4 | developer.com, August 31, 1998. | HTML |
| L. Kassab, J. Voas | Agent Trustworthiness | Workshop on Mobile Object Systems: Secure Internet Mobile, July, 1998, Brussels, Belgium. | PS |
| A.K. Ghosh | E-Commerce Security: No Silver Bullet | In Proceedings of the IFIP WG 11.3 Working Conference on Database Security, July 15-17, 1998, Chalkidiki, GR. | |
| J. Voas | Maintaining Component-based Systems | IEEE Software, July, 1998. | PS |
| J. Voas | Defensive Approaches to Testing Systems that Contain COTS and Third-Party Functionality | In Proc. of 15th Int’l. Conference and Exposition on Testing Computer Software, June, 1998. | PS |
| J. Voas | An Approach to Certifying Off-the-Shelf Software Components | IEEE Computer, June, 1998. | PS |
| L. Kassab, J. Voas | Towards Fault-Tolerant Mobile Agents | Workshop on Distributed Computing on the Web, June, 1998, Rostock, Germany. | PS |
| J. Voas | Independent Software Measurement’s Role in the Liability Puzzle | In the Proceeding of The European Software Measurement Conference Antwerp, Belgium May 1998 | PS |
| A. Ghosh, T. O’Connor, G. McGraw | An Automated Approach for Identifying Potential Vulnerabilities in Software | Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. May 3-6, 1998, pp. 104-114. | PS |
| J. Voas | Software Certification Laboratories? | Crosstalk, April 1998. | PS |
| J. Voas | A Defensive Approach to Testing Systems that Contain COTS and Third-Party Functionality | In the Proceedings AQUIS ’98, Venice, April 1998. | PS |
| G. McGraw | Testing for Security During Development: Why we should scrap penetrate-and-patch. | IEEE Aerospace and Electronic Systems, April 1998. | PS |
| J. Voas | Software Certification Laboratories? | Crosstalk, April 1998. | PS |
| J. Voas, F. Charron, L. Beltracchi | Error Propagation Analysis Studies in a Nuclear Research Code | In Proceedings of the 1998 IEEE Aerospace Conference, Snowmass, CO, March 1998. | |
| J. Voas | COTS: The Economical Choice? | IEEE Software (Manager Column), March 1998. | PS |
| J. Voas, J. Payne | OTS Software Failures: Can Anything be Done? | In Proceedings of the First IEEE Workshop on Application Specific Software Engineering and Technology (ASSET’98), March, 1998, Dallas | PS |
| J. Payne, M. Schatz, M. Schmid | Implementing Assertions for Java | Dr. Dobb’s Journal, January 1998. | HTML |
| G. McGraw | Smart Cards, Java Cards and Security | developer.com, January 19, 1998. | HTML |
| J. Voas | Certifying Y2K ‘Fixes’ | Crosstalk, January 1998. | PS |
| A. Young, M. Yung | Auto-Recoverable Auto-Certifiable Cryptosystems | Advances in Cryptology, Eurocrypt ’98. | |
| A. Young, M. Yung | Finding Length-3 Positive Cunningham Chains and their Cryptographic Significance | Algorithmic Number Theory III (ANTS), LNCS vol. 1423, 1998. | |
| A. Young, M. Yung | Black-Box Symmetric Ciphers Designed for Monopolizing Keys | Fast Software Encryption Workshop, 1998. | |
| J. Voas | Fault Injection for the Masses | IEEE Computer, December 1997. | PS |
| G. McGraw | Don’t Push Me: The Security Implications of Push | developer.com, December 30, 1997. | HTML |
| C. Michael, G. McGraw, M. Schatz, and C. Walton | Genetic Algorithms for Dynamic Test Data Generation | In Proceedings of IEEE International Automated Software Engineering Conference (ASE97), November 3-5, 1997. | PS |
| J. Voas, A. Ghosh, F. Charron, L. Kassab | Reducing Uncertainty About Common-Mode Failures | In Proceedings of ISSRE, November 1997. | PS |
| G. McGraw | Sandboxes and Signatures Part 1: The Future of Executable Content | developer.com, October 7, 1997. | HTML |
| J. Voas, L. Kassab | Simulating Specification Errors and Ambiguities in Systems Employing Diversity | In the Proceedings of 1997 Pacific Northwest Software Quality Conference, October 27-29, 1997. | PS |
| G. McGraw, T. O’Connor | Sandboxes and Signatures Part 2: How to Sign Code for Netscape Communicator | developer.com, October 14, 1997. | HTML |
| J. Voas | Building Software Recovery Assertions from Fault Injection Analysis | In Proceedings of COMPSAC’97, August 1997, Washington DC. | PS |
| C. Michael, J. Voas | The Ability of Directed Tests to Predict Software Quality | In Annals of Software Engineering, August 1997. | PS |
| J. Voas, F. Charron, G. McGraw, E. Miller, M. Friedman | Predicting How Badly “Good” Software can Behave | IEEE Software, July 1997. | PS |
| J. Voas | Can Clean Pipes Produce Dirty Water? | IEEE Software (Quality Time Column), July 1997. | PS |
| J. Voas | Can Clean Pipes Produce Dirty Water? | IEEE Software (Quality Time Column), July 1997. | PS |
| G. McGraw | Testing for Security During Development: Why We Should Scrap Penetrate-and-Patch | In Proceedings of 12th Annual Conference on Computer Assurance, June 16-20, 1997, Gaithersburg, MD. | PS |
| J. Voas, A. Ghosh, F. Charron, L. Kassab | Reducing Uncertainty About Common-Mode Failures | Submitted to the 12th Annual Conference on Computer Assurance, June 16-20, 1997, Gaithersburg, MD. | PS |
| C. Michael | Reusing Tests of Reusable Software Components | In Proceedings of COMPASS ’97, June 1997. | PS |
| C. Michael, J. Voas | Problems of Accuracy in the Prediction of Software Quality from Directed Tests | International Conference on Testing Computer Software, June 1997. | PS |
| C. Michael and R. Jones | On the Uniformity of Error Propagation in Software | In Proceedings of COMPASS ’97, June 1997. | PS |
| J. Voas, G. McGraw, L. Kassab, L. Voas | Fault-injection: A Crystal Ball for Software Quality | IEEE Computer, June 1997, Volume 30, Number 6, pp. 29-36. | PS |
| G. McGraw, E. Felten | Avoiding Hostile Applets: How to Minimize the Risks of Executable Content | BYTE, May 1997. | HTML |
| G. McGraw, E. Felten | Understanding the Keys to Java Security — The Sandbox and Authentication | Java World, May 1997. | HTML |
| G. McGraw | Is Your Browser a Blabbermouth? Are Your Ports Being Scanned? | Java World, March 1997. | HTML |
| J. Voas | A Few Assertions about Information Hiding | IEEE Software (Quality Time Column), March 1997. | PS |
| C. Michael | Using Evolution Constraints to Assess the Failure-proneness of Evolving Software | Proceedings of the First Euromicro Working Conference on Software Maintenance and Reengineering (CSMR97), March 17-19, 1997, Berlin, Germany. | PS |
| J. Voas | Software Fault-injection: Growing ‘Safer’ Systems | In Proc. of IEEE Aerospace Conference, February, 1997, Snowmass, CO. | PS |
| J. Voas, G. McGraw, A. Ghosh | Reducing Uncertainty About Survivability | Proc. of the 1997 Information Survivability Workshop, February 12-13, 1997, San Diego, CA | PS |
| G. McGraw, E. Felten | A Friendly Introduction to Hostile Applets | Netscape World, February 1997. | HTML |
| G. McGraw | Plugs for Java’s Security Holes | BYTE, January 1997. | HTML |
| G. McGraw, E. Felten | Java Security and Type Safety | BYTE, January 1997. | HTML |
| A. Young, M. Yung | Encryption Tools for Mobile Agents: Sliding Encryption | Fast Software Encryption Workshop. | |
| C. Michael | On the Use of Process Information in Directed Testing | Software Quality Engineering ’97. | PS |
| A. Young, M. Yung | Kleptography: Using Cryptography against Cryptography | Advances in Cryptology, Eurocrypt ’97, pages 62-74, Springer, 1997. | |
| A. Young, M. Yung | Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage | IEEE Symposium on Security and Privacy, pages 224-235, 1997. | |
| A. Young, M. Yung | The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems | Advances in Cryptology, CRYPTO ’97, pages 264-276, Springer, 1997. | |
| J. Voas, K. Miller | Software Testability: Investing in Testing | Proceedings of EuroStar’96, Amsterdam, December, 1996. | PS |
| J. Voas, A. Ghosh, G. McGraw, K.Miller | Glueing Together Software Components: How Good is Your Glue? | Proceedings of Pacific Northwest Software Quality Conference, October, 1996. | PS |
| J. Voas, F. Charron, K. Miller | Tolerant Software Interfaces: Can COTS-based Systems be Trusted Without Them? | Proceedings of the 15th Int’l. Conference on Computer Safety, Reliability, and Security (SAFECOMP’96), Vienna, October, 1996. | PS |
| J. Voas, F. Charron, K. Miller | Investigating Rare-Event Failure Tolerance: Reductions in Uncertainty | Proceedings of IEEE High-Assurance Systems Engineering Workshop (HASE’96), In conjunection with the 15th Symposium on Reliable Distributed Systems, Niagara-on-the-Lake, Canada, October, 1996. | PS |
| G. McGraw, C. Michael | Automatic Generation of Test-Cases for Software Testing | Proceedings of the 18th Annual Conference of the Cognitive Science Society, July 1996. | PS |
| G. McGraw, D. Hofstadter | Emergent Letter Perception: Implementing the Role Hypothesis | Proceedings of the 18th Annual Conference of the Cognitive Science Society, July 1996. | PS |
| G. McGraw, D. Hovemeyer | Untangling the Woven Web: Testing Web-based Software | Proceedings of the 13th International Conference on Testing Computer Software (ICTCS), June 1996. | PS |
| G. McGraw, A.K. Ghosh | Developing Expertise in Software Security: An Outsider’s Perspective | In working notes of the Invitational Workshop on Computer Vulnerability Data Sharing, NIST, June 1996. | PS |
| J. Voas, K. Miller | Substituting Voas’s Testability Measure for Musa’s Fault Exposure Ratio | Proceedings of the Int’l. Communications Conference, June, 1996, Dallas, TX. | PS |
| A.S. Binns, G. McGraw | Building a Java Software Engineering Tool for Testing Applets | Proceedings of the IntraNet 96 NY Conference, April 8-10, 1996, New York City. | PS |
| J. Voas | Testing Software for Characteristics Other than Correctness: Safety, Failure-tolerance, and Security | Proceedings of the Int’l. Conf. on Testing Computer Software. | PS |
| A. Young, M. Yung | The Dark Side of ‘Black-Box’ Cryptography or: Should We Trust Capstone? | Advances in Cryptology, CRYPTO ’96, pages 89-103, Springer, 1996. | |
| J. Voas, G. McGraw, A.K. Ghosh, F. Charron, K. Miller | Defining an Adaptive Software Security Metric from a Dynamic Software Failure-tolerance Measure | Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS’96) | PS |
| A. Young, M. Yung | Cryptovirology: Extortion-Based Security Threats and Countermeasures | IEEE Symposium on Security and Privacy, pages 129-140, 1996. | |
| J.Voas, K. Miller | An Automated Code-based Fault-tree Mitigation Technique | Proceedings of 14th Int’l. Conf. on Computer Safety, Security, and Reliability. Italy, October, 1995. | PS |
| T.A. DeLong, A.K. Ghosh, B.W. Johnson, J.A. Profeta, III | Fault Injection for Logic Synthesis Design using VHDL | Mentor Users’ Group Symposium 12th Annual International Conference , October 23-27, 1995, Portland, OR. | PS |
| T.M. Khoshgoftaar, R.M. Szabo, J.M. Voas | Detecting Program Modules with Low Testability | Proceedings of ICSM’95, Nice, France, October, 1995. | PS |
| J. Voas, K. Miller | Using Fault Injection to Assess Software Engineering Standards | Proceedings of Int’l. Symp. on Software Engineering Standards, August, 1995. | PS |
| J. Offutt, J. Pan, J. Voas | Procedures for Reducing the Size of Coverage-based Test Sets | Proceedings of 12th Int’l. Conf. on Testing Computer Software. Washington, DC. June, 1995. | PS |
| J. Voas, K. Miller | Examining Fault-tolerance Using Unlikely Inputs: Turning the Test Distribution Up-side Down | Proceedings of COMPASS’95, Gaithersburg, MD June, 1995. | PS |
| J. Voas | Software Testability Measurement for Assertion Injection and Fault Localization | Proceedings of 2nd Int’l. Workshop on Automated and Algorithmic Debugging (AADEBUG’95), St. Malo, France, May, 1995. | PS |
| J. Voas, K. Miller | Software Testability: The New Verification | IEEE Software. May, 1995. | PS |
| J. Voas, J. Payne, R. Mills, J. McManus | Software Testability: An Experiment in Measuring Simulation Reusability | Proceedings of ACM Sigsoft (SSR’95), Seattle, April 29-30. | PS |
| J. Voas, K. Miller | Predicting Software’s Minimum-time-to-hazard and Mean-time-to-hazard for Rare Input Events | Proceedings of the 6th Int’l. Symp. on Softw. Reliability Engineering, 1995, Publisher: IEEE Computer Society. | PS |
| J. Voas, C. Michael, K. Miller | Confidently Assessing a Zero Probability of Software Failure | High Integrity Systems Journal. Oxford University Press. 1(3):269-275, 1995. | PS |
| J. Voas, K. Miller | Putting Assertions in Their Place | Proceedings of the Int’l. Symposium on Software Reliability Engineering, November 6-9, 1994, Monterey, CA. | PS |
| J. Voas, K. Miller, J. Payne | A Comparison of a Dynamic Software Testability Metric to Static Cyclomatic Complexity | Proceedings of 2nd Int’l. Conf. on Software Quality Management, July, 1994, Edinburgh, Scotland, Publisher: Computational Mechanics Publications. | PS |
| J. Voas | Formal Testability Analysis | In the Encyclopedia of Software Engineering, John Wiley & Sons, pp.517–518, 1994. | PS |
| J. Voas, K. Miller | Dynamic Testability Analysis for Assessing Fault Tolerance | High Integrity Systems Journal. 1(2):171-178, 1994, Oxford University Press. | PS |
| J. Voas, K. Miller, J. Payne | An Empirical Comparison of a Dynamic Software Testability Metric to Static Cyclomatic Complexity | Proceedings of the 18th Annual Software Engineering Workshop, December, 1993, NASA-Goddard Software Engineering Laboratory Series Report 93-003. | PS |
| J. Voas, C. Michael, K. Miller | Confidently Assessing a Zero Probability of Software Failure | Proceedings of the 12th Int’l. Conf. on Computer Safety, Reliability, and Security , October, 1993, pp. 197-206, Poznan, Poland. Publisher: Springer-Verlag, ISBN 3-540-19838-5. | PS |
| J. Voas, K. Miller, J. Payne | Dynamic Testability Analysis for Software Safety | Proceedings of the 2nd IASTED Int’l. Conf. on Reliability, Quality Control and Risk Assessment, October, 1993, Cambridge, MA, Publisher: IASTED-ACTA Press, ISBN: 0-88986-181-1. | PS |
| J. Voas, K. Miller, J. Payne | Automating Test Case Generation for Coverages Required by FAA Standard DO-178B | Proceedings of Computers in Aerospace 9, October, 1993, San Diego, CA. Publisher: AIAA. | PS |
| J. Voas, K. Miller, J. Payne | Software Testability and Its Application to Avionic Software | Proceedings of Computers in Aerospace 9, October, 1993, San Diego, CA. Publisher: AIAA. | PS |
| R. Hamlet, J. Voas | Faults on Its Sleeve: Amplifying Software Reliability Testing | Proceedings of the ACM SIGSOFT Int’l. Symposium on Software Testing and Analysis, June, 1993, Cambridge, MA, Publisher: ACM. | PS |
| J. Voas, K. Miller, J. Payne | A Software Analysis Technique for Quantifying Reliability in High-Risk Medical Devices | Proceedings of the 6th IEEE Symposium on Computer-Based Medical Systems, June, 1993, Ann Arbor, MI. | PS |
| L. Morell, J. Voas | A Framework for Defining Semantic Metrics | The Journal of Systems and Software, Elsevier Science Publishers Ltd. 20:245-251, March, 1993. | PS |
| J. Voas, K. Miller | Applying a Dynamic Testability Technique to Debugging Certain Classes of Software Faults | Software Quality Journal, Chapman & Hall, March, 1993, p. 61-75. | PS |
| J. Voas, K. Miller | Semantic Metrics for Software Testability | The Journal of Systems and Software, Elsevier Science Publishers Ltd. 20:207-216, March, 1993. | PS |
| J. Voas, K. Miller, J. Payne | Designing Programs That are Less Likely to Hide Faults | The Journal of Systems and Software, Elsevier Science Publishers Ltd. 20:93-100, January, 1993. | PS |
| J. Voas, J. Payne, F. Cohen | A Model for Detecting the Existence of Software Corruption in Real Time | Computers and Security J., 11(8), Elsevier Science Publishers Ltd. 1993. | PS |
| J. Voas, L. Voas, K. Miller | A Model for Assessing the Liability of Seemingly Correct Software | Proceedings of the IASTED Int’l. Conf. on Reliability, Quality Control and Risk Assessment, p. 32–35, November, 1992, Washington, D.C, Publisher: IASTED-ACTA Press, ISBN: 0-88986-171-4. | PS |
| J. Voas, K. Miller | Improving the Software Development Process Using Testability Research | Proceedings of the 3rd Int’l. Symp. on Softw. Reliability Engineering , p. 114–121, October, 1992, RTP, NC, Publisher: IEEE Computer Society. | PS |
| J. Voas, K. Miller, R. Noonan | Designing Programs that do not Hide Data State Errors During Random Black-Box Testing | Proceedings of the 5th Int’l. Conf. on Putting Into Practice Methods and Tools for Information System Design, September, 1992, Nantes, France. | PS |
| J. Voas | PIE: A Dynamic Failure-Based Technique | IEEE Trans. on Softw. Eng., 18(8):717–727, August, 1992. | PS |
| J. Voas | Dynamic Testing Complexity Metric | Software Quality Journal, 1(2):101–114, Chapman & Hall, June, 1992. | PS |
| J. Voas, K. Miller | The Revealing Power of a Test Case | Journal of Software Testing, Verification, and Reliability, John Wiley and Sons, 2(1):25-42, May, 1992. | PS |
| J. Voas, K. Miller, J. Payne | PISCES: A Tool for Predicting Software Testability | Proceedings of the Symp. on Assessment of Quality Software Development Tools, May, 1992, p. 297-309, New Orleans, LA, IEEE Computer Society, ISBN: 0-8186-2620-8. | PS |
| K. Miller, L. Morell, R. Noonan, S. Park, D. Nicol, B. Murrill, J. Voas | Estimating the Probability of Failure when Testing Reveals No Failures | IEEE Trans. on Software Engineering, 18(1):33-44, Jan. 1992. | PS |
| J. Voas | Factors that Affect Software Testability | Proceedings of the 9th Pacific Northwest Softw. Quality Conf., p. 235–247, October, 1991, Portland, OR. Publisher: Pacific Northwest Software Quality Conference, Inc. | PS |
| J. Voas | A Dynamic Failure Model for Predicting the Impact that a Program Location has on the Program | Lecture Notes in Computer Science Series, Vol. 550: Proc. of the 3rd European Softw. Eng. Conf., p. 308–331, October, 1991, Italy, Publisher: Springer-Verlag, A. Van Lamsweerde and A. Fugetta (Eds.). | PS |
| J. Voas, L. Morell, K. Miller | Predicting Where Faults Can Hide From Testing | IEEE Software, 8(2):41–47, March 1991. | PS |