Concepedia

Publication | Closed Access

Improving vulnerability discovery models

DOI

77

Citations

18

References

2007

Year

Andy Ozment

Unknown Venue

Abstract

Security researchers are applying software reliability models to vulnerability data, in an attempt to model the vulnerability discovery process. I show that most current work on these vulnerability discovery models (VDMs) is theoretically unsound. I propose a standard set of definitions relevant to measuring characteristics of vulnerabilities and their discovery process. I then describe the theoretical requirements of VDMs and highlight the shortcomings of existing work, particularly the assumption that vulnerability discovery is an independent process.

References

YearCitations

Basic concepts and taxonomy of dependable and secure computing

A. Avižienis, J.-C. Laprie, Brian Randell,

IEEE Transactions on Dependable and Secure Computing

2004

5.1K

Proceedings of the 11th USENIX Security Symposium

Dan Boneh

2002

2.5K

Software vulnerability analysis

Ivan Krsul, Eugene H. Spafford

Purdue e-Pubs (Purdue University System)

1998

288

Is finding security holes a good idea?

Eric Rescorla

IEEE Security & Privacy

2005

270

Windows of vulnerability: a case study analysis

John McHugh, William Fithen, William A. Arbaugh

Computer

2000

263

National Academy Press

Disaster Prevention and Management An International Journal

1999

231

Milk or wine: does software security improve with age?

Andy Ozment, Stuart Schechter

2006

163

Quantitative vulnerability assessment of systems software

Omar H. Alhazmi, Yashwant K. Malaiya

2005

121

Modeling the Vulnerability Discovery Process

Omar H. Alhazmi, Yashwant K. Malaiya

2006

120

Failure correlation in software reliability models

Katerina Goševa-Popstojanova, Kishor S. Trivedi

IEEE Transactions on Reliability

2000

104

Page 1