Modeling vulnerability discovery process in Apache and IIS HTTP servers

Computers and Security

Volumn 30, Issue 1, 2011, Pages 50-62

  Woo, Sung Whan ^a   Joh, Hyunchul ^a   Alhazmi, Omar H ^a   Malaiya, Yashwant K ^a  

^a Colorado State University   (United States)

Author keywords

Quantitative modeling; Risk evaluation; Security; Vulnerability discovery model (VDM); Web server

Indexed keywords

QUANTITATIVE MODELING; RISK EVALUATION; SECURITY; VULNERABILITY DISCOVERY; WEB SERVERS;

COMPETITION; SECURITY OF DATA; SERVERS; WEB SERVICES;

HTTP;

EID: 79251599901     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2010.10.007     Document Type: Article

References (50)

1. Alhazmi OH, Malaiya YK. Quantitative vulnerability assessment of system software. In: Proc. annual reliability and maintainability symposium; Jan. 2005a. p. 615-20.
2. Alhazmi OH, Malaiya YK, Ray I. Security vulnerabilities in software systems: a quantitative perspective. In: Proc. Ann. IFIP WG11.3 working conference on data and information security; Aug. 2005b. p. 281-94.
3. Alhazmi OH, Malaiya YK. Prediction capability of vulnerability discovery process. In: Proc. reliability and maintainability symposium; Jan. 2006. p. 86-91.
4. O.H. Alhazmi, and Y.K. Malaiya Application of vulnerability discovery models to major operating systems IEEE Transactions on Reliability March 2008 14 22
5. O.H. Alhazmi, Y.K. Malaiya, and I. Ray Measuring, analyzing and predicting security vulnerabilities in software systems Computers & Security 26 3 May 2007 219 228
6. G. Alvarez, and Slobodan Petrovic A new taxonomy of web attacks suitable for efficient encoding Computers & Security 22 5 July 2003 435 449 10.1016/S0167-4048(03)00512-1 ISSN: 0167-4048
7. Anderson R. Security in open versus closed systems - the dance of Boltzmann, Coase and Moore. In: Conf. on open source software: economics, law and policy; 2002. p. 1-15.
8. T. Aslam, and E.H. Spafford A taxonomy of security faults Technical report 1996 Carnegie Mellon
9. Aura T, Bishop M, Sniegowski D. Analyzing single-server network inhibition. In: Proceedings of the 13th IEEE computer security foundations workshop; Jul. 2000. p. 108-17.
10. BEA Systems http://www.bea.com April 2010
11. Bishop M. Vulnerability analysis: an extended abstract. In: Proc. second international symposium on recent advances in intrusion detection; Sep. 1999. p. 125-36.
12. S. Brocklehurst, P.Y. Chan, B. Littewood, and J. Snell Recalibrating software reliability models IEEE Transactions on Software Engineering 16 4 1990 456 470
13. Browne HK, Arbaugh WA, McHugh J, Fithen WL. A trend analysis of exploitations. In IEEE symposium on security and privacy; 2001. p. 214-29.
14. Conseil Européen pour la Recherche Nucléaire (CERN) http://info.cern.ch/ April 2010
15. M. Di Penta, L. Cerulo, and L. Aversano The life and death of statically detected vulnerabilities: an empirical study Information and Software Technology 51 10 October 2009 1469 1484
16. N.E. Fenton, and J. Rafail Prediction and control of ADA software defects Journal of Systems and Software July 1990 199 207
17. First of incident response and security teams (FIRST.org, Inc.), Common vulnerability scoring system (CVSS) http://www.first.org/cvss/ April 2010
18. R. Ford, H. Thompson, and F. Casteran Role comparison report - web server role Technical Report 2005 Security Innovation
19. R. Gopalakrishna, and E.H. Spafford A trend analysis of vulnerabilities May 2005 CERIAS, Purdue University CERIAS TR 2005-05
20. R. Gopalakrishna, E.H. Spafford, and J. Vitek Vulnerability likelihood: a probabilistic approach to software assurance Technical Report 2005 CERIAS
21. Hallberg J, Hanstad A, Peterson M. A framework for system security assessment. In: Proc. 2001 IEEE symposium on security and privacy; May 2001. p. 214-29.
22. L. Hatton Reexamining the fault density-component size connection IEEE Software March 1997 89 97
23. IIS vs. Apache, Looking Beyond the Rhetoric http://www.serverwatch.com/ tutorials/article.php/3074841 April 2010
24. Joh H, Kim J, Malaiya YK. Vulnerability discovery modeling using Weibull distribution. In: 19th international symposium on software reliability engineering; 2008. p. 299-300.
25. Kargl F, Maier J, Weber M. Protecting web servers from distributed denial of service attacks. In: Proc. 10th international WWW conference; 2001. p. 514-24.
26. Kim J, Malaiya YK, Ray I. Vulnerability discovery in multi-version software systems. In: Proc. 10th IEEE Int. symp. on high assurance system engineering (HASE), Dallas; Nov. 2007. p. 141-8.
27. C.E. Landwehr, A.R. Bull, J.P. McDermott, and W.S. Choi A taxonomy of computer program security flaws ACM Computing Surveys 1994 211 254
28. M.R. Lyu Handbook of software reliability 1995 McGraw-Hill
29. A. Machie, J. Roculan, R. Russell, and M.V. Velzen Nimda worm analysis Tech. Rep. Incident analysis September 2001 SecurityFocus
30. B.B. Madan, K. Goseva-Popstojanova, K. Vaidyanathan, and K.S. Trivedi A method for modeling and quantifying the security attributes of intrusion tolerant systems Performance Evaluation 2004 167 186
31. Y.K. Malaiya, N. Karunanithi, and P. Verma Predictability of software reliability models IEEE Transactions on Reliability 41 4 December 1992 539 546
32. G. McGraw From the ground up: the DIMACS software security workshop IEEE Security and Privacy 1 2 March/April 2003 59 66
33. Moore D, Shannon C, Claffy KC. Code-red: a case study on the spread and victims of an internet worm. In: Internet measurement workshop; 2002. p. 273-84.
34. Musa JD, Okumoto K. A logarithmic Poisson execution time model for software reliability measurements. In: Proceedings of 7th international conference on software engineering, Silver Spring, MD; March 1984. p. 230-38.
35. J. Musa Software reliability engineering 1999 McGraw-Hill
36. Netcraft http://news.netcraft.com/ April 2010
37. National Vulnerability Database (NVD) http://nvd.nist.gov/ April 2010
38. Oracle WebLogic Server http://www.oracle.com/technology/products/ Weblogic/index.html April 2010
39. Open Source Vulnerability Database (OSVDB) http://osvdb.org April 2010
40. C.P. Pfleeger, and S.L. Pfleeger Security in computing 3rd ed. 2003 Prentice Hall PTR
41. Rescorla E. Security holes. Who cares?. In: Proc. 12th USENIX security symposium; 2003. p. 75-90.
42. E. Rescorla Is finding security holes a good idea? IEEE Security and Privacy 2005 14 19
43. Sahinoglu M. Quantitative risk assessment for dependent vulnerabilities. In: Proc. reliability and maintainability symposium; Jan. 2006. p. 82-85.
44. C.R. Seacord, and A.D. Householder A structured approach to classifying vulnerabilities Technical Report CMU/SEI-2005-TN-003 2005 Carnegie Mellon
45. R. Seacord Secure coding in C and C 2005 Addison Wisely
46. Secunia http://secunia.com/ April 2010
47. Securityfocus http://www.securityfocus.com/ April 2010
48. SLOCCount http://dwheeler.com/sloccount April 2010
49. H.S. Venter, J.H.P. Eloff, and Y.L. Li Standardizing vulnerability categories Computers & Security 27 3-4 May-June 2008 71 83 10.1016/j.cose.2008.04.002 ISSN: 0167-4048
50. Woo S-W, Alhazmi OH, Malaiya YK. Assessing vulnerabilities in Apache and IIS HTTP servers. In: Proc. IEEE Int. symp. on dependable, autonomic and secure computing (DASC'06); Sept.-Oct. 2006. p. 103-10.