Modeling the Vulnerability Discovery Process

Alhazmi, Omar H.; Malaiya, Yashwant K.

doi:10.1109/issre.2005.30

Cited by 92 publications

(80 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…where B represents the estimated total number of vulnerabilities and the parameters A and C determine the shape of the curve [7]. The model is based on the assumption that the vulnerability discovery process is controlled by the market share of the software and the number of vulnerabilities remaining undiscovered [8].…”

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

“…The model is based on the assumption that the vulnerability discovery process is controlled by the market share of the software and the number of vulnerabilities remaining undiscovered [8]. This model has been found to yield a significant goodness-of-fit for many widely used software systems [7,8,9,21]. However the plots of actual data sometimes show a departure from the model following the release of a new version [8].…”

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

“…Recently, researchers have started investigating how the vulnerability discovery process can be described using some Vulnerability Discovery Model (VDM). Examples of VDMs include the work by Anderson, Rescorla, Alhazmi and Malaiya [5,6,7,8,9]. Each model uses a different approach and has several parameters.…”

Section: Introductionmentioning

confidence: 99%

“…We have compared source codes of 26 versions of Apache HTTP Web server (1.3.x) [15] and all the versions (75 versions) of Mysql DBMS (4.x and 5.x) [14] and collected their vulnerability data from NVD to find out relationship between evolution of the software and vulnerability detection. The model proposed for the single version [7,8,9] uses the hypothesis that the market share influences the vulnerability discovery rates. As the market share increases, so does the rate of vulnerability discovery.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Vulnerability Discovery in Multi-Version Software Systems

Kim

Malaiya

Ray

2007

10th IEEE High Assurance Systems Engineering Symposium (HASE'07)

View full text Add to dashboard Cite

-The vulnerability discovery process for a program describes the rate at which the security vulnerabilities are discovered. Being able to predict the vulnerability discovery process allows developers to adequately plan for resource allocation needed to develop patches for them. It also enables the users to assess the security risks. Thus there is a need to develop a model of the discovery process that can predict the number of vulnerabilities that are likely to be discovered in a given time frame. Recent studies have produced vulnerability discovery process models that are suitable for a specific version of a software. However, these models may not accurately estimate the vulnerability discovery rates for a software when we consider successive versions. In this paper, we propose a new approach for quantitatively modeling the vulnerability discovery process, based on shared source code measurements among multiversion software systems. Such a modeling approach can be used for assessing security risk both before and after the release of a version. The applicability of the approach is examined using two open source software systems, viz., Apache HTTP Web server and Mysql DataBase Management System (DBMS). We have examined the relationship between shared code size and shared vulnerabilities between two successive versions. We observe that vulnerabilities continue to be discovered for an older version because part of its code is shared by the newer and more popular later version. Thus, even when the installed base of an older version has declined, vulnerabilities applicable to it are still discovered. Our results are validated using the source code and vulnerability data for two major versions of Apache HTTP Web server and two major versions of Mysql DBMS.

show abstract

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

Section: A Aml Vulnerability Discovery Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Vulnerability Discovery in Multi-Version Software Systems

Kim

Malaiya

Ray

2007

10th IEEE High Assurance Systems Engineering Symposium (HASE'07)

View full text Add to dashboard Cite

show abstract

“…In [12], Rescorla has studied vulnerabilities in open source servers. The vulnerabilities discovery process in operating systems has just recently been examined by Rescorla [13] and by Alhazmi and Malaiya [14,15,16].…”

Section: Introductionmentioning

confidence: 99%

Assessing Vulnerabilities in Apache and IIS HTTP Servers

Woo

Alhazmi

Malaiya

2006

2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing

View full text Add to dashboard Cite

show abstract

Enterprise security economics: A self‐defense versus cyber‐insurance dilemma

Miaoui

Boudriga

2019

Appl Stoch Models Bus & Ind

View full text Add to dashboard Cite

We propose a model that optimizes enterprise investments in cybersecurity using expected utility theory. The model allows computing (a) investment in self-defense to reduce the risk of security breaches, (b) investment in cyber insurance to transfer the residual risk to insurance companies, and (c) investment in forensic readiness to make the insured firms capable of generating provable insurance claims about security breaches. A three-phase-based model of vulnerability rate evolution over time is proposed and used to estimate the different planned security expenditures throughout the investment horizon.At the starting time of investment, a decision maker invests to cover the existing risk of breach and periodically spends to cover the additional risk observed due to the release of new vulnerabilities. In this work, the intermediate tranches are determined while considering three different attitudes of decision makers, namely, optimistic, pessimistic, and realistic. An analysis is conducted to assess the performance of the proposed models. KEYWORDSforensic readiness, information security, optimal investment, risk minimization 448

show abstract

Modeling the Vulnerability Discovery Process

Cited by 92 publications

References 13 publications

Vulnerability Discovery in Multi-Version Software Systems

Vulnerability Discovery in Multi-Version Software Systems

Assessing Vulnerabilities in Apache and IIS HTTP Servers

Enterprise security economics: A self‐defense versus cyber‐insurance dilemma

Contact Info

Product

Resources

About