A large scale exploratory analysis of software vulnerability life cycles

Authors:
Muhammad Shahzad;Muhammad Zubair Shafiq;Alex X. Liu
Affiliations:
Michigan State University, USA;Michigan State University, USA;Michigan State University, USA
Venue:
Proceedings of the 34th International Conference on Software Engineering
Year:
2012

Citing 11
Cited 2

Fast Algorithms for Mining Association Rules in Large Databases

VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Why Information Security is Hard-An Economic Perspective

ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Is Finding Security Holes a Good Idea?

IEEE Security and Privacy
Large-scale vulnerability analysis

Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price

IEEE Transactions on Software Engineering
A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors

IMF '09 Proceedings of the 2009 Fifth International Conference on IT Security Incident Management and IT Forensics
Vulnerability analysis for a quantitative security evaluation

ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Information Systems Research
Beyond heuristics: learning to classify vulnerabilities and predict exploits

Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining
Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities

Proceedings of the 26th Annual Computer Security Applications Conference
Empirical results on the study of software vulnerabilities (NIER track)

Proceedings of the 33rd International Conference on Software Engineering

Before we knew it: an empirical study of zero-day attacks in the real world

Proceedings of the 2012 ACM conference on Computer and communications security
A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets

Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Software systems inherently contain vulnerabilities that have been exploited in the past resulting in significant revenue losses. The study of vulnerability life cycles can help in the development, deployment, and maintenance of software systems. It can also help in designing future security policies and conducting audits of past incidents. Furthermore, such an analysis can help customers to assess the security risks associated with software products of different vendors. In this paper, we conduct an exploratory measurement study of a large software vulnerability data set containing 46310 vulnerabilities disclosed since 1988 till 2011. We investigate vulnerabilities along following seven dimensions: (1) phases in the life cycle of vulnerabilities, (2) evolution of vulnerabilities over the years, (3) functionality of vulnerabilities, (4) access requirement for exploitation of vulnerabilities, (5) risk level of vulnerabilities, (6) software vendors, and (7) software products. Our exploratory analysis uncovers several statistically significant findings that have important implications for software development and deployment.