Abstract
The ever-mounting existence of security vulnerabilities in a software is an inevitable challenge for organizations. Additionally, developers have to operate within limited budgets while meeting the deadlines. So they need to prioritize their vulnerability responses. In this paper, we propose an approach for vulnerability response prioritization using “closeness to the ideal” approach. We used TOPSIS and VIKOR method in this study. Both of these techniques employ an aggregating function to achieve the ranking of desired alternatives. VIKOR method determines a compromise solution on the basis of measure of closeness to a single ideal solution while TOPSIS method determines a feasible solution while taking into account the shortest distance from the positive ideal solution and the maximum distance from negative ideal solution. Both these methods share some significant similarities and differences. A comparative analysis of these two methods is done by applying them on real-life software vulnerability datasets for achieving vulnerability prioritization.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Schiffman, M., & Cisco, C. I. A. G. (2005, June). A complete guide to the common vulnerability scoring system (cvss). In Forum Incident Response and Security Teams (http://www.first.org/).
Mell, P., Scarfone, K., & Romanosky, S. (2007, June). A complete guide to the common vulnerability scoring system version 2.0. In Published by FIRST-Forum of Incident Response and Security Teams, Vol. 1, p. 23.
Mell, P., Scarfone, K., & Romanosky, S. (2006). Common vulnerability scoring system. IEEE Security & Privacy, 4(6).
National Vulnerability Database. nvd.nist.gov/ [online], December, 2016.
Liu, Q., & Zhang, Y. (2011). VRSS: A new system for rating and scoring vulnerabilities. Computer Communications, 34(3), 264–273.
Liu, Q., Zhang, Y., Kong, Y., & Wu, Q. (2012). Improving VRSS-based vulnerability prioritization using analytic hierarchy process. Journal of Systems and Software, 85(8), 1699–1708.
Spanos, G., Sioziou, A., & Angelis, L. (2013, September). WIVSS: A new methodology for scoring information systems vulnerabilities. In Proceedings of the 17th Panhellenic Conference on Informatics (pp. 83–90), ACM.
Wang, Y., & Yang, Y. (2012). PVL: A novel metric for single vulnerability rating and its application in IMS. Journal of Computational Information Systems, 8(2), 579–590.
Spanos, G., & Angelis, L. (2015). Impact metrics of security vulnerabilities: Analysis and weighing. Information Security Journal: A Global Perspective, 24(1–3), 57–71.
Sharma, R., & Singh, R. K. (2018). An improved scoring system for software vulnerability prioritization. In Quality, IT and Business Operations (pp. 33–43). Springer, Singapore.
Fruhwirth, C., & Mannisto, T. (2009) Improving CVSS-based vulnerability prioritization and response with context information. In Proceedings of the 2009 3rd international Symposium on Empirical Software Engineering and Measurement. IEEE Computer Society.
Sibal, R., Sharma, R., & Sabharwal, S. (2017). Prioritizing software vulnerability types using multi-criteria decision-making techniques. Life Cycle Reliability and Safety Engineering, 6(1), 57–67.
Hwang, C. L., & Yoon, K. (1981). Methods for multiple attribute decision making. In Multiple attribute decision making (pp. 58–191). Springer, Berlin, Heidelberg.
Opricovic, S., & Tzeng, G. H. (2004). Compromise solution by MCDM methods: A comparative analysis of VIKOR and TOPSIS. European Journal of Operational Research, 156(2), 445–455.
Zeleny, M. (1982). Multiple criteria decision making, McGraw-Hill Book Company.
CVE Details, The ultimate security vulnerability data source. www.cvedetails.com [Online], May 12, 2015.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Sharma, R., Sibal, R., Sabharwal, S. (2019). Software Vulnerability Prioritization: A Comparative Study Using TOPSIS and VIKOR Techniques. In: Kapur, P., Klochkov, Y., Verma, A., Singh, G. (eds) System Performance and Management Analytics. Asset Analytics. Springer, Singapore. https://doi.org/10.1007/978-981-10-7323-6_32
Download citation
DOI: https://doi.org/10.1007/978-981-10-7323-6_32
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-7322-9
Online ISBN: 978-981-10-7323-6
eBook Packages: Business and ManagementBusiness and Management (R0)