Quantitative vulnerability assessment of systems software

TLDR

Vulnerabilities present in such software represent significant security risks. The paper investigates the feasibility of software vulnerabilities and proposes a time‑based model to quantify them. The authors propose a time‑based model for vulnerability discovery, introduce an equivalent‑effort measure, and present an alternative model analogous to software reliability growth models. The study presents cumulative vulnerability plots for Windows 98 and NT 4.0, shows defect‑density data and its relation to vulnerabilities, and suggests that this relationship could help estimate future vulnerability counts.

Abstract

This paper addresses feasibility of vulnerabilities present in the software. Vulnerabilities present in such software represent significant security risks. For Windows 98 and Windows NT 4.0, we present plots for cumulative numbers of vulnerabilities found. A time-based model for the total vulnerabilities discovered is proposed and is fitted to the data for two operating systems. We introduce a measure termed equivalent effort and propose an alternative model which is analogous to the software reliability growth models. We present the data on known defect densities for the two operating systems and discuss the relation between densities of vulnerabilities and the general defects. This relationship could lead us to potential ways of estimating the number of vulnerabilities in future.

References

Page 1

	Year	Citations

Page 1