Abstract
Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software security. Thus far, several models have been proposed with some evidence supporting their goodness-of-fit. In this work we describe an independent validation of the applicability of these models to the vulnerabilities of the popular browsers Firefox, Google Chrome and Internet Explorer. The result shows that some VMDs do not simply fit the data, while for others there are both positive and negative evidences.
This work is supported by the European Commission under projects EU-FET-IP-SECURECHANGE.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alhazmi, O., Malaiya, Y.: Modeling the vulnerability discovery process. In: Proc. of the 16th IEEE Int. Symp. on Software Reliab. Eng., ISSRE 2005 (2005)
Alhazmi, O., Malaiya, Y.: Quantitative vulnerability assessment of systems software. In: Proc. of RAMS 2005 (2005)
Alhazmi, O., Malaiya, Y.: Application of vulnerability discovery models to major operating systems. IEEE Trans. on Reliab. 57(1), 14–22 (2008)
Alhazmi, O., Malaiya, Y., Ray, I.: Security Vulnerabilities in Software Systems: A Quantitative Perspective. In: Jajodia, S., Wijesekera, D. (eds.) Data and Applications Security 2005. LNCS, vol. 3654, pp. 281–294. Springer, Heidelberg (2005)
Anderson, R.: Sec. in open versus closed systems - the dance of Boltzmann, Coase and Moore. In: Proc. of Open Source Soft.: Economics, Law and Policy (2002)
Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)
Krsul, I.: Software Vulnerability Analysis. PhD thesis, Purdue University (1998)
Massacci, F., Neuhaus, S., Nguyen, V.H.: After-Life Vulnerabilities: A Study on Firefox Evolution, its Vulnerabilities and Fixes. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 195–208. Springer, Heidelberg (2011)
Massacci, F., Nguyen, V.H.: Which is the right source for vulnerabilities studies? an empirical analysis on mozilla firefox. In: Proc. of MetriSec 2010 (2010)
R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing (2011) ISBN 3-900051-07-0
Rescorla, E.: Is finding security holes a good idea? IEEE S&P 3(1), 14–19 (2005)
Schneider, F.B.: Trust in cyberspace. National Academy Press (1991)
Sliwerski, J., Zimmermann, T., Zeller, A.: When do changes induce fixes? In: Proc. of the 2nd Int. Working Conf. on Mining Soft. Repo. MSR 2005 (2005)
Woo, S., Alhazmi, O., Malaiya, Y.: An analysis of the vulnerability discovery process in web browsers. In: Proc. of 10th IASTED SEA 2006 (2006)
Woo, S., Joh, H., Alhazmi, O., Malaiya, Y.: Modeling vulnerability discovery process in apache and iis http servers. C&S 30(1), 50–62 (2011)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nguyen, V.H., Massacci, F. (2012). An Idea of an Independent Validation of Vulnerability Discovery Models. In: Barthe, G., Livshits, B., Scandariato, R. (eds) Engineering Secure Software and Systems. ESSoS 2012. Lecture Notes in Computer Science, vol 7159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28166-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-28166-2_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28165-5
Online ISBN: 978-3-642-28166-2
eBook Packages: Computer ScienceComputer Science (R0)