Improving vulnerability discovery models
Proceedings of the 2007 ACM workshop on Quality of protection
Optimal security patch release timing under non-homogeneous vulnerability-discovery processes
ISSRE'09 Proceedings of the 20th IEEE international conference on software reliability engineering
Is open source security a myth?
Communications of the ACM
| Hi-index | 0.02 |
We examine the feasibility of quantitatively characterizing the vulnerabilities in the two major HTTP servers. In particular, we investigate the applicability of quantitative empirical models to the vulnerabilities discovery process for these servers. Such models can allow us to predict the number of vulnerabilities that may potentially be present in a server but may not yet have been found. The data on vulnerabilities found in the two servers is mined and analyzed. We explore the applicability of a time-based and an effort-based vulnerability discovery model. The effort-based model requires data of the current market-share of a server. Both models have been successfully used for vulnerabilities in the major operating systems. Our results show that both vulnerabilities discovery models fit the data for the HTTP servers well. We also examine a separate classification schemes for server vulnerabilities that based on the source of error, and then explore the applicability of the quantitative methods to individual classes.