Learn More
Keywords: Vulnerability discovery model (VDM) Risk evaluation Web server Quantitative modeling Security a b s t r a c t Vulnerability discovery models allow prediction of the number of vulnerabilities that are likely to be discovered in the future. Hence, they allow the vendors and the end users to manage risk by optimizing resource allocation. Most(More)
Known vulnerabilities which have been discovered but not patched represents a security risk which can lead to considerable financial damage or loss of reputation. They include vulnerabilities that have either no patches available or for which patches are applied after some delay. Exploitation is even possible before public disclosure of a vulnerability.(More)
A vulnerability discovery model describes the variation in the vulnerability discovery rate during the lifetime of a software system and can be used to assess risk and to evaluate possible mitigation approaches. A few vulnerability discovery models have recently been proposed. The AML Logistic model has been found to provide the best fit in several cases.(More)
– A vulnerability discovery model describes the vulnerability discovery rate in a software system, and predicts the future behavior. It can allow the IT managers and developers to allocate their resources optimally by timely development and application of patches. Such models also allow the end-users to assess security risk in their systems. Recently,(More)
Vulnerability discovery rates need to be taken into account for evaluating security risks. Accurate projection of these rates is required to estimate the effort needed to develop patches for handling vulnerabilities discovered. Seasonal behaviors of the vulnerability discovery process for a multi-year life-cycle of software products are examined. A careful(More)
Prediction of vulnerability discovery rates can be used to assess security risks and to determine the resources needed to develop patches quickly to handle vulnerabilities discovered. An examination of the vulnerability data suggests a seasonal behavior that has not been modeled by the recently proposed vulnerability discovery models. This seasonality has(More)
—Some of the major computer security organizations monitor a global pool of systems for presence of vulnerabilities and worms. The extensive amount of data generated provides important insights into the vulnerability activity and the risk they represent. An examination of the data published suggests weekly periodical behavior. This paper identifies the(More)
— A vulnerability that has been discovered but is unpatched represents a security risk to a system. During the lifetime of a software system, new vulnerabilities are discovered over time. There are two opposing actors, the patch developers and the potential exploiters. An exploit can happen immediately after a disclosure, perhaps even before the disclosure(More)
Periodicity in key processes related to software vulnerabilities need to be taken into account for assessing security at a given time. Here, we examine the actual multi-year field datasets for some of the most used software systems (operating systems and Web-related software) for potential annual variations in vulnerability discovery processes. We also(More)