[1] CERT/CC Statistics 1988-2006, October 2006. http://www.cert.org/stats/cert stats.html.
[2] Paul F. Roberts. Major Card Vendors Stay Mum on Data Breach, 2005. www.eweek.com.
[3] Mark Trumbull. AOL Security Breach PutsWeb on Notice. The Christian Science Monitor, August 11 2006.
[4] The University of Texas at Austin Responds to Data Theft, April 2006. http://www.mccombs.utexas.edu/datatheft/.
[5] Rebecca Trounson. Major Breach of UCLA's Computer Files. Los Angeles Times, December 12 2006.
[6] A. Householder, K. Houle, and C. Dougherty. Computer Attack Trends Challenge Internet Security. Internet Security (Supplement to Computer Magazine), 35(4):5-7, 2002.
[7] John Markhoff. Attack of the Zombie Computers is a Growing Threat, Experts Say. New York Times, January 7 2007.
[8] Brad Stone. Spam Doubles, Finding New Ways to Deliver Itself. New York Times, December 6 2006.
[9] Nicholas Ianelli and Aaron Hackworth. Botnets as a Vehicle for Online Crime. Technical report, CERT Coordination Center, 2005.
[10] Frank Piessens. A Taxonomy of Causes of Software Vulnerabilities in Internet Software. In Proceedings of the International Symposium on Software Reliability Engineering (ISSRE), pages 47-52, 2002.
[11] Sam Weber, Paul A. Karger, and Amit Paradkar. A Software Flaw Taxonomy: Aiming Tools at Security. ACM SIGSOFT Software Engineering Notes, 30(4):1-7, 2005.
[12] OWASP. The Ten Most Critical Web Application Security Vulnerabilities. Technical report, 2004. The OpenWeb Application Security Project.
[13] U. Lindqvist and E. Jonsson. How to Systematically Classify Computer Security Intrusions. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154-163, Oakland, CA, USA, 1997.
[14] Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi. A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys, 26(3):211-254, 1994.
[15] Premkumar T. Devanbu and Stuart G. Stub-blebine. Software Engineering for Security: a Roadmap. In Proceedings of the International Conference on Software Engineering, pages 227-239, 2000.
[16] Brian Krebs. Microsoft's Security Push Rolls on. Washington Post, October 6 2005.
[17] John Markhoff. Security Experts Say Risky Flaws Exist in New Microsoft System. New York Times, December 25 2006.
[18] P. Oehlert. Violating Assumptions with Fuzzing. IEEE Security and Privacy Magazine, 3(2):58-62, 2005.
[19] KPhone SIP Softphone. http://kphone.cvs.sourceforge.net/kphone/kphone/.
[20] H. Srinivasan and K. Sarac. A SIP Security Testing Framework. In Proceedings of the IEEE Consumer Communications and Networking Conference, pages 1-5, Las Vegas, Nevada, USA, 2009.
[21] Humberto Abdelnur, Olivier Festor, and Radu State. KiF: a Stateful SIP Fuzzer. In Proceedings of the 1st ACM International Conference on Principles, Systems and Applications of IP Telecommunications, pages 47-56, New York, USA, 2007. ACM Press.
[22] C. Wieser, M. Laakso, and H. Schulzrinne. Security Testing of SIP Implementations. Technical report, Columbia University, Department of Computer Science, 2003.
[23] G. Banks, M. Cova, V. Felmetsger, K. Almeroth, R. Kemmerer, and G. Vigna. SNOOZE: toward a Stateful NetwOrk prOtocol fuzZEr. In Proceedings of the 9th International Conference on Information Security, volume 4176 of Lecture Notes in Computer Science (LNCS), Samos Island, Greece, 2006. Springer.
[25] Brian Chess and Gary McGraw. Static Analysis for Security. IEEE Security and Privacy, 2(6): 32-35, 2004.
[26] John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In Proceedings of the 16th Annual Conference on Computer Security Applications, pages 257-267, New Orleans, LA, USA, 2000.
[27] David A. Wheeler. Flawfinder.
http://www.dwheeler.com/flawfinder.
[28] Secure Software Inc. RATS.
http://www.securesw.com/rats.
[29] David Evans and David Larochelle. Improving Security using Extensible Lightweight Static Analysis. IEEE Software, 19(1):42-51, 2002.
[30] David Larochelle and David Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities.
In Proceedings of the 10th Usenix Security Symposium, Washington, DC, USA, 2001.
[31] Brian V. Chess. Improving Computer Security using Extended Static Checking. In Proceedings of the IEEE Symposium on Security and Privacy, pages 160-173, Berkeley, CA, USA, 2002.
[32] K. Ashcraft and D. Engler. Using Programmer Written Compiler Extensions to Catch Security Holes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 143-159, Berkeley, CA, USA, 2002.
[33] Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201-220, Washington, DC, USA, 2001.
[34] J. Foster, T. Terauchi, and A. Aiken. Flow Sensitive Type Qualifiers. ACM SIGPLAN Notices, 37(5):1-12, 2002.
[35] David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium, pages 3-17, San Diego, CA, USA, 2000.
[36] H. Chen and D. Wagner. MOPS: An Infrastructure for Examining Security Properties of Software. In Proceedings of the ACM Conference on Computer and Communications Security, pages 235-244, Washington, DC, USA, 2002.
[37] Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer Overflow Attacks. In Proceedings of the USENIX Security Conference, pages 63-78, San Antonio, Texas, USA, 1998.
[38] T. Chiueh and F. Hsu. RAD: A Compile-Time Solution to Buffer Overflow Attacks. In Proceedings of the IEEE 21st International Conference on Distributed Computing Systems, pages 409-417, Mesa, AZ, USA, 2001.
[39] Mike Frantzen and Mike Shuey. StackGhost: Hardware Facilitated Stack Protection. In Proceedings of the 10th USENIX Security Symposium, pages 55-66, Washington, DC, USA, 2001.
[40] Crispin Cowan, Matt Baringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jaime Lokier. FormatGuard: Automatic Protection from printf Format String Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 191-200, Washington, DC, USA, 2001.
[41] Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman. RaceGuard: Kernel Protection from Temporary File Race Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 165-172, Washington, DC, USA, 2001.
[42] R. Jones and P. Kelly. Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs. In Proceedings of the International Workshop on Automatic Debugging, pages 13-26, 1997.
[43] A. Baratloo, N. Singh, and T. Tsai. Libsafe: Protecting Critical Elements of Stacks. White paper, 1999.
[44] Arash Baratloo, Navjot Singh, and Timothy Tsai. Transparent Run-Time Defense Against Stack Smashing Attacks. In Proceedings of the USENIX Annual Technical Conference, pages 251-262, San Diego, CA, USA, 2000.
[45] Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 6th USENIX Security Symposium, pages 1-13, San Jose, CA, USA, 1996.
[46] George C. Necula, Scott McPeak, and Westley Weimer. CCured: Type-Safe Retrofitting of Legacy Code. In Proceedings of the Symposium on Principles of Programming Languages, pages 128-139, 2002.
[47] T. Jim, G. Morrisett, D. Grossman, and M. Hicks. Cyclone: A Safe Dialect of C. In Proceedings of the USENIX Annual Technical Conference, Monterey, CA, USA, 2002.
[48] Dan S. Wallach and Edward W. Felten. Understanding Java Stack Inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 52-63, Oakland, CA, USA, 1998.
[49] Ulfar Erlingsson and Fred B. Schneider. IRM Enforcement of Java Stack Inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 246-255, Berkeley, CA, USA, 2000.
[50] Jared DeMott. The Evolving Art of Fuzzing. In DefCon, 2006.
[51] B.P. Miller, L. Fredriksen, and B. So. An Empirical Study of the Reliability of Unix Utilities. Communications of the ACM, 33(12), 1990.
[52] B.P. Miller, D. Koski, C.P. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of unix utilities and services. Technical report, University of Wisconsin-Madison, Department of Computer Science, 1995.
[53] J.E. Forrester and B.P. Miller. An Empirical Study of the Robustness of Windows NT Applications using Random Testing. In Proceedings of the 4th USENIX Windows Systems Symposium, pages 59-68, Seattle, Washington, USA, 2000.
[54] B.P. Miller, G. Cooksey, and F. Moore. An Empirical Study of the Robustness of MacOS Applications using Random Testing. ACM SIGOPS Operating Systems Review, 41(1):78-86, 2007.
[55] Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 12th International Conference on World Wide Web, pages 148-159, Budapest, Hungary, 2003.
[56] Leon Juranic. Using Fuzzing to Detect Security Vulnerabilities. Technical report, Infingo IS, 2006.
[57] Request for Comments 3261, Session Initiation Protocol. RFC Editor Database, http://www.rfc-editor.org/.
[58] X11::GUITest Libraries, Version 0.21. http://sourceforge.net/projects/x11guitest.