A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors

IMF 2009 - 5th International Conference on IT Security Incident Management and IT Forensics - Conference Proceedings

Volumn , Issue , 2009, Pages 153-168

  Schryen, Guido ^a  

^a RWTH AACHEN UNIVERSITY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

CLOSED SOURCE SOFTWARES; COMPARATIVE ANALYSIS; EMAIL CLIENTS; EMPIRICAL ANALYSIS; EMPIRICAL INVESTIGATION; EMPIRICAL STUDIES; NATIONAL VULNERABILITY DATABASE; OPEN SOURCES; OPERATING SYSTEMS; QUALITY OF DATA; SOFTWARE DEVELOPMENT STYLES; SOFTWARE VENDORS; THEORETICAL ARGUMENTS;

COMPUTER OPERATING SYSTEMS; COMPUTER SOFTWARE SELECTION AND EVALUATION; NETWORK SECURITY; SECURITY SYSTEMS; SOFTWARE DESIGN; WEB BROWSERS;

DATABASE SYSTEMS;

EID: 71249135127     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/IMF.2009.15     Document Type: Conference Paper

References (38)

1. M. Schwarz and Y. Takhteyev, "Half a Century of Public Software Institutions: Open Source as a Solution to Hold Up Problem", http://www.takhteyev.org/papers/Schwarz-Takhteyev-2008.pdf, 2008.
2. C. Payne, "On the security of open source software", Information Systems Journal (12:1), 2002, pp. 61-78.
3. Raymond, E.S. The Cathedral and the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary, O'Reilly, Beijing, China, 2001.
4. E. Levy, "Wide open source", http://www.securityfocus.com/news/ 19, 2000.
5. J. Viega, "Open Source Security: Still a Myth", http://www.onlamp.com/pub/a/security/2004/09/16/open-source-security-myths.html, 2004.
6. O.H. Alhazmi and Y.K. Malaiya, "Measuring and enhancing prediction capabilities of vulnerability discovery models for Apache and IIS HTTP servers", in: Proceedings of the 17th International Symposium on Software Reliability Engineering (ISSRE'06), Washington, DC, USA, 2006, pp. 343-352.
7. O. Alhazmi, Y. Malaiya, and I. Ray, "Measuring, analyzing and predicting security vulnerabilities in software systems", Computers & Security (26:3), 2007, pp. 219-228.
8. S. Frei, M. May, U. Fiedler B. Plattner, "Large-Scale Vulnerability Analysis, in: Proceedings of the ACM SIGCOMM 2006 Workshop, November 11, 2006, Pisa, Italy.
9. R. Gopalakrishna and E.H. Spafford, "A trend analysis of vulnerabilities", Technical Report 2005-05, CERIAS, Purdue University, May 2005.
10. S. Neuhaus, T. Zimmermann, C. Holler and A. Zeller, "Predicting Vulnerable Software Components", in: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, VA, USA, October 2007, pp. 529-540.
11. S.-W. Woo, O.H. Alhazmi, and Y.K. Malaiya, "An analysis of the vulnerability discovery process in web browsers", in: Proceedings of the 10th IASTED International Conference on Software Engineering and Applications, Dallas, TX, USA, November 13-15, 2006.
12. S.-W.Woo, O.H. Alhazmi Y.K. Malaiya, "Assessing vulnerabilities in Apache and IIS HTTP servers, in: Proceedings of the 2nd International Symposium on Dependable, Autonomic and Secure Computing, Indianapolis, IN, USA, September 29-October 01, 2006, pp. 103-110.
13. E. Rescorla, "Is finding security holes a good idea?", in: Proceedings of the Third Annual Workshop on Economics and Information Security, Minneapolis, Minnesota, May 13-14, 2004.
14. G. Schryen, "Security of open source and closed source software: An empirical comparison of published vulnerabilities", in: Proceedings of Americas Conference on Information Systems, San Francisco, California, August 6 - 9, 2009.
15. A. Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting", in: Proceedings of the Fourth Workshop on the Economics of Information Security, Cambridge, Massachusetts, June 2-3, 2005, pp. 1-21.
16. Open Source Initiative (OSI), "The Open Source Definition", http://www.opensource.org/docs/osd, 2006.
17. J. M. Gonzalez-Barahona, "Free Software/Open Source: Information Society Opportunities for Europe?", Working group on Libre Software, http://eu.conecta.it/paper/cathedral-bazaar.html, 2000.
18. Free Software Foundation (FSF), "The Free Software Definition", http://www.fsf.org/licensing/essays/free-sw.html, 2007.
19. G. Schryen and R. Kadura, "Open Source vs. Closed Source Software: Towards Measuring Security", in: Proceedings of the 2009 ACM Symposium on Applied Computing, Honolulu, Hawaii, March 8-12, 2009, pp. 2016-2023.
20. R. Anderson, "Why Information Security is Hard - An Economic Perspective", in: Proceedings of the Seventeenth Computer Security Applications Conference, New Orleans, Louisiana, December 10-14, 2001, pp. 358-365.
21. MITRE, "Common Vulnerabilities and Exposures", http://cve.mitre.org, 2009
22. A. Ozment, "Improving Vulnerability Discovery Models: Problems with Definitions and Assumptions", in: Proceedings of the Third Workshop on Quality of Protection (QoP'07), Alexandria, VA, USA. October 29, 2007.
23. US-CERT, "Vulnerability Notes Database Field Descriptions", http://www.kb.cert.org/vuls/html/fieldhelp, 2009.
24. W.A. Arbaugh, W.L. Fithen and J. McHugh, "Windows of vulnerability: A case study analysis", IEEE Computer (33:12), 2000, pp. 52-59.
25. Anderson, R. and Moore, T., "Information Security Economics - and Beyond", Information Security Summit 2008, http://www.cl.cam.ac.uk/~rja14/ Papers/econ-czech.pdf.
26. A. Arora, R. Krishnan, A. Nandkumar, R. Telang, and Y. Yang, "Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis", in: Proceedings of the Third Workshop on the Economics of Information Security, Minneapolis, Minnesota, May 13-14, 2004, pp. 1-20.
27. D. Nizovtsev and M. Thursby, "To disclose or not? An analysis of software user behavior", Information Economics and Policy (19:1), 2007, pp. 43-64.
28. A. Arora, A. Telang, and H. Xu, "Optimal Policy for Software Vulnerability Disclosure", in: Proceedings of the Third Annual Workshop on Economics and Information Security, Minneapolis, Minnesota, May 13-14, 2004, pp. 52-59.
29. J.P. Choi, C. Fershtman, and N. Gandal, "Network Security: Vulnerabilities and Disclosure Policy", Discussion paper, http://www.msu.edu/~choijay/Internet-Security.pdf, 2007.
30. A. Arora, C.M. Forman, A. Nandkumar, and R. Telang, "Competitive and strategic effects in the timing of patch release", in Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge, UK, June 26-28, 2006.
31. H. Cavusoglu, H. Cavusoglu, and J. Zhang, "Economics of Security Patch Management", in: Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge, UK, June 26-28, 2006.
32. S. Beattie, S. Arnold, C. Cowan, P. Wagle, C. Wright, and A. Shostack, "Timing the Application of Security Patches for Optimal Uptime", in: Proceedings of Sixteenth Systems Administration Conference, Philadelphia, Pennsylvania, November 3-8, 2002, pp. 233-242.
33. R. Anderson, "Open and Closed Systems are Equivalent (that is, in an ideal world)", in: Perspectives on Free and Open Source Software, Feller, J., B. Fitzgerald, S.A. Hissam, and K.R. Lakhani (Eds.), MIT Press, Cambridge, 2005, pp. 127-142.
34. NetApplications, "Global Market Share Statistics, http://marketshare.hitslink.com, 2009.
35. Netcraft, "Web Server Survey", http://news.netcraft.com/ archives/web-server-survey.html, 2009.
36. Gartner, "Gartner Says Worldwide Relational Database Market Increased 14 Percent in 2006", http://www.gartner.com/it/page.jsp?id= 507466, 2007.
37. NIST, Personal communication with C. Johnson, National Vulnerability Database - Program Manager, Computer Security Division Personal communication, May 2009.
38. NIST, National Vulnerability Database, http://nvd.nist.gov, 2009.