A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
IEEE Transactions on Software Engineering
On the functional relation between security and dependability impairments
Proceedings of the 1999 workshop on New security paradigms
Communications of the ACM
The cathedral and the bazaar: musings on Linux and open source by an accidental revolutionary
The cathedral and the bazaar: musings on Linux and open source by an accidental revolutionary
Dependability: Basic Concepts and Terminology
Dependability: Basic Concepts and Terminology
Does Open Source Improve System Security?
IEEE Software
A look at the economics of open source
Communications of the ACM - Information cities
On the Brittleness of Software and the Infeasibility of Security Metrics
IEEE Security and Privacy
Have things changed now?: an empirical study of bug characteristics in modern open source software
Proceedings of the 1st workshop on Architectural and system support for improving software dependability
Open vs. Closed: Which Source is More Secure?
Queue - Security
Value Driven Security Threat Modeling Based on Attack Path Analysis
HICSS '07 Proceedings of the 40th Annual Hawaii International Conference on System Sciences
Security vulnerabilities in software systems: a quantitative perspective
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
Estimating risk levels for vulnerability categories using CVSS
International Journal of Internet Technology and Secured Transactions
Evaluation of severity index of vulnerability categories
International Journal of Information and Computer Security
Hi-index | 0.00 |
The increasing availability and deployment of open source software in personal and commercial environments makes open source software highly appealing for hackers, and others who are interested in exploiting software vulnerabilities. This deployment has resulted in a debate "full of religion" on the security of open source software compared to that of closed source software. However, beyond such arguments, only little quantitative analysis on this research issue has taken place. We discuss the state-of-the-art of the security debate and identify shortcomings. Based on these, we propose new metrics, which allows to answer the question to what extent the review process of open source and closed source development has helped to fix vulnerabilities. We illustrate the application of some of these metrics in a case study on OpenOffice (open source software) vs. Microsoft Office (closed source software).