Temporal metrics for software vulnerabilities

Authors:
Ju An Wang;Fengwei Zhang;Min Xia
Affiliations:
Southern Polytechnic State University, Marietta, GA;Southern Polytechnic State University, Marietta, GA;Southern Polytechnic State University, Marietta, GA
Venue:
Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
Year:
2008

Citing 1
Cited 3

Information security models and metrics

Proceedings of the 43rd annual Southeast regional conference - Volume 2

Ontology-based security assessment for software products

Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
OVM: an ontology for vulnerability management

Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Security metrics for software systems

Proceedings of the 47th Annual Southeast Regional Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

It is widely recognized that metrics are important to information security. Metrics can be an effective tool for companies and information security professionals to measure, control, and improve their security control and mechanisms. However, common security metrics are often qualitative, subjective, and informal in the sense that they are lacking formal models and automated support. This paper discussed our work on temporal metrics for software vulnerabilities based on the Common Vulnerability Scoring System 2.0. A mathematical model is provided to calculate the severity and risk of a vulnerability, which is time dependent including exploitability, remediation level, and report confidence attributes of an information asset in a computing environment. A prototype of an automated tool, CVSSWizzard, is illustrated with examples.