Measuring, analyzing and predicting security vulnerabilities in software systems

Alhazmi, Omar H.; Malaiya, Yashwant K.; Ray, Indrajit

doi:10.1016/j.cose.2006.10.002

Cited by 190 publications

(139 citation statements)

References 16 publications

Supporting

Mentioning

126

Contrasting

Unclassified

Order By: Relevance

“…This model has been found to yield a significant goodness-of-fit for many widely used software systems [7,8,9,21]. However the plots of actual data sometimes show a departure from the model following the release of a new version [8].…”

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

“…The model is based on the assumption that the vulnerability discovery process is controlled by the market share of the software and the number of vulnerabilities remaining undiscovered [8]. This model has been found to yield a significant goodness-of-fit for many widely used software systems [7,8,9,21].…”

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

“…Recently, researchers have started investigating how the vulnerability discovery process can be described using some Vulnerability Discovery Model (VDM). Examples of VDMs include the work by Anderson, Rescorla, Alhazmi and Malaiya [5,6,7,8,9]. Each model uses a different approach and has several parameters.…”

Section: Introductionmentioning

confidence: 99%

“…We have compared source codes of 26 versions of Apache HTTP Web server (1.3.x) [15] and all the versions (75 versions) of Mysql DBMS (4.x and 5.x) [14] and collected their vulnerability data from NVD to find out relationship between evolution of the software and vulnerability detection. The model proposed for the single version [7,8,9] uses the hypothesis that the market share influences the vulnerability discovery rates. As the market share increases, so does the rate of vulnerability discovery.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Vulnerability Discovery in Multi-Version Software Systems

Kim

Malaiya

Ray

2007

10th IEEE High Assurance Systems Engineering Symposium (HASE'07)

View full text Add to dashboard Cite

-The vulnerability discovery process for a program describes the rate at which the security vulnerabilities are discovered. Being able to predict the vulnerability discovery process allows developers to adequately plan for resource allocation needed to develop patches for them. It also enables the users to assess the security risks. Thus there is a need to develop a model of the discovery process that can predict the number of vulnerabilities that are likely to be discovered in a given time frame. Recent studies have produced vulnerability discovery process models that are suitable for a specific version of a software. However, these models may not accurately estimate the vulnerability discovery rates for a software when we consider successive versions. In this paper, we propose a new approach for quantitatively modeling the vulnerability discovery process, based on shared source code measurements among multiversion software systems. Such a modeling approach can be used for assessing security risk both before and after the release of a version. The applicability of the approach is examined using two open source software systems, viz., Apache HTTP Web server and Mysql DataBase Management System (DBMS). We have examined the relationship between shared code size and shared vulnerabilities between two successive versions. We observe that vulnerabilities continue to be discovered for an older version because part of its code is shared by the newer and more popular later version. Thus, even when the installed base of an older version has declined, vulnerabilities applicable to it are still discovered. Our results are validated using the source code and vulnerability data for two major versions of Apache HTTP Web server and two major versions of Mysql DBMS.

show abstract

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Vulnerability Discovery in Multi-Version Software Systems

Kim

Malaiya

Ray

2007

10th IEEE High Assurance Systems Engineering Symposium (HASE'07)

View full text Add to dashboard Cite

show abstract

“…Through examining the number of vulnerabilities and their discovery rates, many researchers have established models to quantitatively analyze software security [3][4][5]. A limitation of their approaches is that they only consider the relationship between the number of vulnerabilities and time, while in the Common Vulnerability Scoring System (CVSS) [6], the score rather than the number of vulnerabilities can better reflect the risk level of a software system.…”

Section: Introductionmentioning

confidence: 99%

Using CVSS to quantitatively analyze risks to software caused by vulnerabilities

Gao

Zhang

Xiao-hua

2015

MATEC Web of Conferences

View full text Add to dashboard Cite

Abstract. Quantitative methods for evaluating and managing software security are becoming reliable with the ever increasing vulnerability datasets. The Common Vulnerability Scoring System (CVSS) provides a way to quantitatively evaluate individual vulnerability. However it cannot be applied to evaluate software risk directly and some metrics of CVSS are hard to assess. To overcome these shortcomings, this paper presents a novel method, which combines the CVSS base score with market share and software patches, to quantitatively evaluate the software risk. It is based on CVSS and includes three indicators: Absolute Severity Value (ASV), Relative Severity Value (RSV) and Severity Value Variation Rate (SVVR). Experimental results indicate that by using these indicators, the method can quantitatively describe the risk level of software systems, and thus strengthen software security.

show abstract

Software Dependability

Roshandel¹

2009

Wiley Encyclopedia of Computer Science and Engineering

View full text Add to dashboard Cite

Software systems today control every aspect of our daily lives from banking and airline reservation systems, to power grids and air traffic control systems, to online shopping. Proliferation of complex software systems around the world, connected via networks, creates the expectations that these systems must be trusted; that they must be available when needed; that they must perform their duties correctly; that they must be safe to use; and that they must protect sensitive information embedded within them. Simply put, these software systems must be dependable.

show abstract

Measuring, analyzing and predicting security vulnerabilities in software systems

Cited by 190 publications

References 16 publications

Vulnerability Discovery in Multi-Version Software Systems

Vulnerability Discovery in Multi-Version Software Systems

Using CVSS to quantitatively analyze risks to software caused by vulnerabilities

Software Dependability

Contact Info

Product

Resources

About