An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Arora, Ashish; Krishnan, Ramayya; Telang, Rahul; Yang, Yue

doi:10.1287/isre.1080.0226

Cited by 114 publications

(91 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In [8], authors show that a vendor with more competitors patches the vulnerabilities more quickly. In [7], they show that the vulnerability disclosure accelerates the patch release. Although their work is based upon a small data set of just 354 vulnerabilities disclosed till 2003, they make similar observation as ours that the closed-source vendors are quicker in patching the disclosed vulnerabilities.…”

Section: B Studies On Disclosure and Patchingmentioning

confidence: 99%

“…The goal of such work is to estimate the number of vulnerabilities in new software products. Another direction of work aims to study the changes in the patching behavior of vendors in response to vulnerability disclosures and the existence of competitors [7], [8]. These studies analyze only small vulnerability data sets and do not cover the behavior of individual vendors.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A large scale exploratory analysis of software vulnerability life cycles

Shahzad

Shafiq

Liu

2012

2012 34th International Conference on Software Engineering (ICSE)

132

View full text Add to dashboard Cite

Abstract-Software systems inherently contain vulnerabilities that have been exploited in the past resulting in significant revenue losses. The study of vulnerability life cycles can help in the development, deployment, and maintenance of software systems. It can also help in designing future security policies and conducting audits of past incidents. Furthermore, such an analysis can help customers to assess the security risks associated with software products of different vendors.In this paper, we conduct an exploratory measurement study of a large software vulnerability data set containing 46310 vulnerabilities disclosed since 1988 till 2011. We investigate vulnerabilities along following seven dimensions: (1) phases in the life cycle of vulnerabilities, (2) evolution of vulnerabilities over the years, (3) functionality of vulnerabilities, (4) access requirement for exploitation of vulnerabilities, (5) risk level of vulnerabilities, (6) software vendors, and (7) software products. Our exploratory analysis uncovers several statistically significant findings that have important implications for software development and deployment.

show abstract

Section: B Studies On Disclosure and Patchingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A large scale exploratory analysis of software vulnerability life cycles

Shahzad

Shafiq

Liu

2012

2012 34th International Conference on Software Engineering (ICSE)

132

View full text Add to dashboard Cite

show abstract

“…A risk of conflict with the vendor can be deduced from this and has been confirmed by [31,34,36]. A risk of maintencance leading to resistance and user revolt caused by changed software is also identified [3,22].…”

Section: Reasons For Maintenance Deferral Do Existmentioning

confidence: 72%

A Conceptual Investigation of Maintenance Deferral and Implementation: Foundation for a Maintenance Lifecycle Model

Savage

Kautz

Clarke

2017

Complexity in Information Systems Development

View full text Add to dashboard Cite

Despite the fact that society and organizations rely heavily on Information Systems (IS) and software, the maintenance of vendor-supplied IS, in particular standard package software has gained little attention within the academic literature. This paper presents a conceptual study of the current state of research concerning the reasons for deferral and performance of vendor-supplied maintenance by the purchasing organization. These reasons have so far neither been investigated together nor from that perspective. Based on a systematic literature review and taking the purchaser's viewpoint, reasons for maintenance deferral and performance are identified from the literature. They build the groundwork and foundation for a Maintenance Lifecycle and Process Model that provides a starting point to research vendor-supplied maintenance from the customer's point of view. Disciplines Business AbstractDespite the fact that society and organizations rely heavily on Information Systems (IS) and software, the maintenance of vendor-supplied IS, in particular standard package software has gained little attention within the academic literature. This paper presents a conceptual study of the current state of research concerning the reasons for deferral and performance of vendorsupplied maintenance by the purchasing organization. These reasons have so far neither been investigated together nor from that perspective. Based on a systematic literature review and taking the purchaser's viewpoint, reasons for maintenance deferral and performance are identified from the literature. They build the groundwork and foundation for a Maintenance Lifecycle and Process Model that provides a starting point to research vendor-supplied maintenance from the customer's point of view.

show abstract

“…D'autres études se sont intéréssés à l'utilisation de données réelles afin de caractériser des comportements d'attaquant. Par exemple, dans (Arora et al, 2004), les auteurs étudient l'impact de la publication de la vulnérabilité et de la publication du correctif sur le processus d'attaque. En utilisant un ensemble de 308 vulnérabilités, ils ont proposé un modèle permettant de prédire l'évolution du nombre d'attaques par hôte et par jour.…”

Section: Etat De L'art Sur L'évaluation De La Sécuritéunclassified

évaluation quantitative de la sécurité. Approche basée sur les vulnérabilités

Marconato¹,

Nicomette²,

Kaâniche³

2013

Techniques et sciences informatiques

View full text Add to dashboard Cite

RÉSUMÉ. Les travaux présentés dans cet article sont consacrés à la sécurisation des systèmes d'information en se basant sur des mesures quantitatives. Les mesures ont pour but d'aider à la prévision des risques et de fournir les informations nécessaires permettant d'assurer le niveau de sécurité du système en opération. Dans cette approche, nous prenons en considération des facteurs externes ayant un impact significatif sur la sécurité du système. Nous avons identifié trois facteurs, liés au processus d'exploitation d'une vulnérabilité : le cycle de vie de la vulnérabilité, le comportement des attaquants et le comportement de l'administrateur du système. Nous avons étudié les dépendances entre ces différents facteurs et comment leur évolution pouvait impacter la sécurité du système. A partir de cette étude, nous avons défini des mesures quantitatives prenant en compte ces facteurs externes et avons modélisé, en utilisant le formalisme des SAN (Stochastic Activity Networks), le processus d'exploitation de la vulnérabilité qui conduit à la compromission du système. Nous avons distingué deux scénarios selon que la vulnérabilité est découverte par une personne malveillante ou non malveillante. En analysant une base de données de vulnérabilités, nous avons caractérisé la probabilité d'occurrence de plusieurs événements du cycle de vie de la vulnérabilité, que nous utilisons pour l'obtention de nos mesures.ABSTRACT. The objective of this work is the evaluation of information systems security using quantitative measures. These measures aim at forecasting risks and providing information to monitor the security level of the system in operation. In our approach, we take into account some environmental factors that have a significant impact on the security of the system. We have identified three such factors that are related to the vulnerability exploitation process: the vulnerability life cycle, the behavior of the attackers and the behavior of the system administrator. We have studied the dependencies between these factors and how the evolution of these factors could impact the system security. From this study, we have defined quantitative security measures taking into account these environmental factors and we have developed a model 1 re soumission à Technique et science informatiques, le 22/03/2011 2 1 re soumission à Technique et science informatiques based on Stochastic Activity Networks (SANs), describing how the vulnerability exploitation process could lead to system compromission. We have distinguished two scenarios according to whether the vulnerability is discovered by a malicious user or not. By analysing a vulnerability database, we have characterised the probability of occurrence of several events of the vulnerability life cycle. This characterization helped us to quantify the measures by processing the SAN model.

show abstract

An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Cited by 114 publications

References 21 publications

A large scale exploratory analysis of software vulnerability life cycles

A large scale exploratory analysis of software vulnerability life cycles

A Conceptual Investigation of Maintenance Deferral and Implementation: Foundation for a Maintenance Lifecycle Model

évaluation quantitative de la sécurité. Approche basée sur les vulnérabilités

Contact Info

Product

Resources

About