Optimal Security Patch Release Timing under Non-homogeneous Vulnerability-Discovery Processes

This paper proposes a patch management model with non-homogeneous vulnerability-discovery processes to find the optimal security patch release times. The proposed model is an extension of Cavusoglu et al.\ (2006, 2008) by applying non-homogeneous vulnerability-discovery processes which are based on a vulnerability life-cycle model, and provides the optimal schedule for security patch release times over a software life cycle by means of cost analysis. In numerical examples, we show that the optimal patch release policy becomes an aperiodic release strategy, and compare the minimum cost under the optimal policy with that under a periodic release strategy. In addition, based on opened vulnerability data, we illustrate the optimal security patch release policy for a real software product.

[1]  Byron S. Gottfried Technical Note - A Stopping Criterion for the Golden-Ratio Search , 1975, Oper. Res..

[2]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[3]  Yashwant K. Malaiya,et al.  Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[4]  Sean R Eddy,et al.  What is dynamic programming? , 2004, Nature Biotechnology.

[5]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[6]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[7]  Yashwant K. Malaiya,et al.  Assessing Vulnerabilities in Apache and IIS HTTP Servers , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[8]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[9]  Jun Zhang,et al.  Economics of Security Patch Management , 2006, WEIS.

[10]  U. Rieder,et al.  Markov Decision Processes , 2010 .

[11]  Robert A. Small,et al.  Reducing Internet-Based Intrusions: Effective Security Patch Management , 2003, IEEE Softw..

[12]  Martin L. Puterman,et al.  Markov Decision Processes: Discrete Stochastic Dynamic Programming , 1994 .

[13]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[14]  John D. Musa,et al.  Software Reliability Engineering , 1998 .

[15]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[16]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[17]  John D. Musa,et al.  Software-Reliability-Engineered Testing , 1996, Computer.

[18]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[19]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[20]  Tadashi Dohi,et al.  EM algorithms for logistic software reliability models , 2004, IASTED Conf. on Software Engineering.

[21]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[22]  Amrit L. Goel,et al.  Time-Dependent Error-Detection Rate Model for Software Reliability and Other Performance Measures , 1979, IEEE Transactions on Reliability.

[23]  Tadashi Dohi,et al.  Hyper-Erlang Software Reliability Model , 2008, 2008 14th IEEE Pacific Rim International Symposium on Dependable Computing.

[24]  Mitsuru Ohba,et al.  Inflection S-Shaped Software Reliability Growth Model , 1984 .

[25]  Okamura Hiroyuki,et al.  Hyper-Erlang Software Reliability Model , 2008 .