Improving vulnerability discovery models

Authors:
Andy Ozment
Affiliations:
MIT Lincoln Laboratory & University of Cambridge, Cambridge, United Kngdm
Venue:
Proceedings of the 2007 ACM workshop on Quality of protection
Year:
2007

Citing 12
Cited 6

Software reliability: measurement, prediction, application

Software reliability: measurement, prediction, application
Introduction

Handbook of software reliability engineering
Windows of Vulnerability: A Case Study Analysis

Computer
Validation, Verification, and Testing: Diversity Rules

IEEE Software
Software vulnerability analysis

Software vulnerability analysis
Basic Concepts and Taxonomy of Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing
Is Finding Security Holes a Good Idea?

IEEE Security and Privacy
Modeling the Vulnerability Discovery Process

ISSRE '05 Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering
Assessing Vulnerabilities in Apache and IIS HTTP Servers

DASC '06 Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing
Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers

ISSRE '06 Proceedings of the 17th International Symposium on Software Reliability Engineering
Milk or wine: does software security improve with age?

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Prediction capabilities of vulnerability discovery models

RAMS '06 Proceedings of the RAMS '06. Annual Reliability and Maintainability Symposium, 2006.

Impact of inheritance on vulnerability propagation at design phase

ACM SIGSOFT Software Engineering Notes
Quantified security is a weak hypothesis: a critical survey of results and assumptions

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities

Proceedings of the 26th Annual Computer Security Applications Conference
Is open source security a myth?

Communications of the ACM
An empirical study on using the national vulnerability database to predict software vulnerabilities

DEXA'11 Proceedings of the 22nd international conference on Database and expert systems applications - Volume Part I
An historical examination of open source releases and their vulnerabilities

Proceedings of the 2012 ACM conference on Computer and communications security

Quantified Score

Hi-index	0.02

Visualization

Abstract

Security researchers are applying software reliability models to vulnerability data, in an attempt to model the vulnerability discovery process. I show that most current work on these vulnerability discovery models (VDMs) is theoretically unsound. I propose a standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process. I then describe the theoretical requirements of VDMs and highlight the shortcomings of existing work, particularly the assumption that vulnerability discovery is an independent process.