Modeling the Vulnerability Discovery Process

Authors:
O. H. Alhazmi;Y. K. Malaiya
Affiliations:
Colorado State University;Colorado State University
Venue:
ISSRE '05 Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering
Year:
2005

Citing 0
Cited 11

Improving vulnerability discovery models

Proceedings of the 2007 ACM workshop on Quality of protection
Impact of inheritance on vulnerability propagation at design phase

ACM SIGSOFT Software Engineering Notes
Optimal security patch release timing under non-homogeneous vulnerability-discovery processes

ISSRE'09 Proceedings of the 20th IEEE international conference on software reliability engineering
Towards a unifying approach in understanding security problems

ISSRE'09 Proceedings of the 20th IEEE international conference on software reliability engineering
Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox

Proceedings of the 6th International Workshop on Security Measurements and Metrics
Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities

Proceedings of the 26th Annual Computer Security Applications Conference
After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Objective Risk Evaluation for Automated Security Management

Journal of Network and Systems Management
An idea of an independent validation of vulnerability discovery models

ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
OSDC: adapting ODC for developing more secure software

Proceedings of the 28th Annual ACM Symposium on Applied Computing
A Formal Framework for Patch Management

International Journal of Interdisciplinary Telecommunications and Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security vulnerabilities in servers and operating systems are software defects that represent great risks. Both software developers and users are struggling to contain the risk posed by these vulnerabilities. The vulnerabilities are discovered by both developers and external testers throughout the life-span of a software system. A few models for the vulnerability discovery process have just been published recently. Such models will allow effective resource allocation for patch development and are also needed for evaluating the risk of vulnerability exploitation. Here we examine these models for the vulnerability discovery process. The models are examined both analytically and using actual data on vulnerabilities discovered in three widely-used systems. The applicability of the proposed models and significance of the parameters involved are discussed. The limitations of the proposed models are examined and major research challenges are identified.