An Empirical Analysis of Exploitation Attempts Based on Vulnerabilities in Open Source Software

For open source software, security attention frequently focuses on the discovery of vulnerabilities prior to release. The large number of diverse people who view the source code may find vulnerabilities before the software product is release. Therefore, open source software has the potential to be more secure than closed source software. Unfortunately, for vulnerabilities found after release, the benefits of many having viewers may now work against open source software security. Attackers may be more likely to exploit discovered vulnerabilities since they too can view the source code and can use it to learn the details of a weakness and how best to exploit it. I examine the diffusion of vulnerabilities in open source software compared with closed source software. Empirical analysis of two years of security alert data from intrusion detection systems indicates that open source software vulnerabilities are at greater risk of exploitation, diffuse more rapidly, and have greater volume of exploitation attempts.

[1]  Guido Schryen,et al.  Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities , 2009, AMCIS.

[2]  Laurence L. George,et al.  The Statistical Analysis of Failure Time Data , 2003, Technometrics.

[3]  Terrence August,et al.  Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions , 2008, Inf. Syst. Res..

[4]  Günter Müller Emerging Trends in Information and Communication Security , 2006, Lecture Notes in Computer Science.

[5]  Drew Fudenberg,et al.  Preemption, Leapfrogging, and Co­mpetition in Patent Races , 1983 .

[6]  Guido Schryen,et al.  Increasing Software Security through Open Source or Closed Source Development? Empirics Suggest that We have Asked the Wrong Question , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[7]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[8]  Rahul Telang,et al.  Optimal Policy for Software Vulnerability Disclosure , 2005 .

[9]  Igor V. Kotenko,et al.  Attack Graph Based Evaluation of Network Security , 2006, Communications and Multimedia Security.

[10]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[11]  D.,et al.  Regression Models and Life-Tables , 2022 .

[12]  Laurie A. Williams,et al.  Secure open source collaboration: an empirical study of linus' law , 2009, CCS.

[13]  Jeffrey R. Jones,et al.  Estimating Software Vulnerabilities , 2007, IEEE Security & Privacy.

[14]  Ramayya Krishnan,et al.  An Empirical Analysis of Vendor Response to Disclosure Policy , 2005, WEIS.

[15]  Lawrence A. Gordon,et al.  Market Value of Voluntary Disclosures Concerning Information Security , 2010, MIS Q..

[16]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[17]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[18]  Lawrence A. Gordon,et al.  Economic aspects of information security: An emerging field of research , 2006, Inf. Syst. Frontiers.

[19]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[20]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[21]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[22]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[23]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[24]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[25]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[26]  Pu Li,et al.  An examination of private intermediaries’ roles in software vulnerabilities disclosure , 2007, Inf. Syst. Frontiers.

[27]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[28]  Rahul Telang,et al.  Sell First, Fix Later: Impact of Patching on Software Quality , 2004 .

[29]  Tom A. B. Snijders,et al.  Social Network Analysis , 2011, International Encyclopedia of Statistical Science.

[30]  G. Lawton Open Source Security: Opportunity or Oxymoron? , 2002, Computer.

[31]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[32]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[33]  Francis Bloch,et al.  Optimal disclosure delay in multistage R&D competition , 1996 .

[34]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[35]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[36]  Laurie A. Williams,et al.  Predicting failures with developer networks and social network analysis , 2008, SIGSOFT '08/FSE-16.

[37]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[38]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[39]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[40]  S. Kiesler,et al.  The kindness of strangers: on the usefulness of electronic weak ties for technical advice , 1996 .

[41]  Chaim Fershtman,et al.  Internet Security, Vulnerability Disclosure and Software Provision , 2005, WEIS.

[42]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[43]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[44]  Guido Schryen,et al.  Is open source security a myth? What do vulnerability and patch data say? , 2011 .

[45]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..