Software Risk Assessment for Windows Operating Systems with respect to CVSS

CVSS is recognized as a de facto standard for categorizing and measuring software vulnerabilities in both how easy for exploitation for the given security bug and how much impact on a system having the vulnerability in a sense of the three security factors. Meanwhile, since the early 2000s, quantitative risk assessments of software systems had been able to be examined thanks to the accumulated enough datasets for a scientific investigation. However, there are still a lot of research attempts not to be taken in a quantitative examination of software risk assessments. In this paper, we are quantitatively analyzing CVSS scores in vulnerabilities from the three most recent Windows products, namely, Windows 7, Windows 8.1 and Windows 10. The result shows that AML vulnerability discovery model represents Windows vulnerability discovery trend reasonably. Furthermore, we found explicitly that, most of the time, security bugs are compromised with no authentication required systems. This result is corresponding with the output from the previous research based on Web browsers.

[1]  Indrajit Ray,et al.  Security Vulnerabilities in Software Systems: A Quantitative Perspective , 2005, DBSec.

[2]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[3]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[4]  Yashwant K. Malaiya,et al.  Modeling Skewness in Vulnerability Discovery , 2014, Qual. Reliab. Eng. Int..

[5]  Neeli R. Prasad,et al.  A Threat Analysis Methodology for Security Evaluation and Enhancement Planning , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[6]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..

[7]  Stefan Frei,et al.  Understanding the web browser threat: examination of vulnerable online web browser populations and the "insecurity iceberg" , 2008 .

[8]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[9]  Y.K. Malaiya,et al.  Prediction capabilities of vulnerability discovery models , 2006, RAMS '06. Annual Reliability and Maintainability Symposium, 2006..

[10]  Carol Withrow,et al.  Prediction and control of ADA software defects , 1990, J. Syst. Softw..

[11]  Guido Schryen,et al.  Is open source security a myth? What do vulnerability and patch data say? , 2011 .

[12]  Siv Hilde Houmb,et al.  Quantifying security risk level from CVSS estimates of frequency and impact , 2010, J. Syst. Softw..

[13]  Les Hatton,et al.  Reexamining the Fault Density-Component Size Connection , 1997, IEEE Softw..

[14]  HyunChul Joh,et al.  Assessing Web Browser Secur ity Vulnerabilities with respect to CVSS , 2015 .

[15]  Jarrett Rosenberg,et al.  Some misconceptions about lines of code , 1997, Proceedings Fourth International Software Metrics Symposium.

[16]  Michael W. Godfrey,et al.  A reference architecture for Web browsers , 2005, 21st IEEE International Conference on Software Maintenance (ICSM'05).

[17]  Fumio Akiyama,et al.  An Example of Software System Debugging , 1971, IFIP Congress.

[18]  Stefan Frei,et al.  Web Browser Security Update Effectiveness , 2009, CRITIS.

[19]  Juan E. Gilbert,et al.  Quantitative software security risk assessment model , 2007, QoP '07.

[20]  M. Acer Critical Vulnerability in Browser Security Metrics , 2010 .