论文信息 - Analyses of two end-user software vulnerability exposure metrics (extended version)

Analyses of two end-user software vulnerability exposure metrics (extended version)

Abstract Understanding the exposure risk of software vulnerabilities is an important part of the software ecosystem. Reliable software vulnerability metrics allow end-users to make informed decisions regarding the risk posed by the choice of one software package versus another. In this article, we develop and analyze two new security metrics: median active vulnerabilities (MAV) and vulnerability free days (VFD). Both metrics take into account both the rate of vulnerability discovery and the rate at which vendors produce corresponding patches. We examine how our metrics are computed from publicly available data sets and then demonstrate their use in a case study with various vendors and products. Finally, we discuss the use of the metrics by various software stakeholders and how end-users can benefit from their use.

Miles McQueen | Jason L. Wright | Lawrence Wellman

[1] Guido Schryen,et al. Is open source security a myth? , 2011, Commun. ACM.

[2] Hao Xu,et al. Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[3] Miles McQueen,et al. Analyses of Two End-User Software Vulnerability Exposure Metrics , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[4] Stuart E. Schechter,et al. Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[5] Geoffrey Thomas,et al. Security Impact Ratings Considered Harmful , 2009, HotOS.

[6] Eric Rescorla,et al. Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[7] Bernhard Plattner,et al. Large-scale vulnerability analysis , 2006, LSAD '06.

[8] Doina Caragea,et al. An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities , 2011, DEXA.

[9] Sandy Clark,et al. Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities , 2010, ACSAC '10.