A large scale exploratory analysis of software vulnerability life cycles

Proceedings - International Conference on Software Engineering

Volumn , Issue , 2012, Pages 771-781

  Shahzad, Muhammad ^a   Shafiq, Muhammad Zubair ^a   Liu, Alex X ^a  

^a Michigan State University   (United States)

Author keywords

disclosure; exploit; NVD; OSVDB; patch; vulnerability

Indexed keywords

DISCLOSURE; EXPLOIT; NVD; OSVDB; PATCH; VULNERABILITY;

COMPUTER SOFTWARE;

LIFE CYCLE;

EID: 84864270546     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICSE.2012.6227141     Document Type: Conference Paper

References (22)

1. E. E. Schultz, D. S. Brown, and T. A. Longstaff, Responding to Computer Security Incidents: Guidelines for Incident Handling, Lawrence Livermore National Laboratory, Livermore, CA, 1990.
2. R. Anderson, "Security in open versus closed systems - the dance of boltzmann, coase and moore," in Proc. Open Source Software: Economics, Law, and Policy Confocuce, June 2002.
3. S. Frei, M. May, U. Fiedler, and B. Plattner, "Large-scale vulnerability analysis," in Proc. 2006 SIGCOMM workshop on Large-Scale Attack Defense, September 2006, pp. 131-138.
4. S. Frei, B. Tellenbach, and B. Plattner, "0-day patch exposing vendors (in) security performance," in Proc. Black Hat Technical Security Conf. , vol. 14, 2009.
5. O. H. Alhazmi and Y. K. Malaiya, "Quantitative vulnerability assessment of systems software," in Proc. Annual Reliability and Maintainability Symposium, 2005, pp. 615-620.
6. E. Rescorla, "Is finding security holes a good idea?" IEEE Security and Privacy, vol. 3, no. 1, pp. 14-19, Januray 2005.
7. A. Arora, R. Krishnan, R. Telang, and Y. Yang, "An empirical analysis of software vendors patch release behavior: Impact of vulnerability disclosure," Information Systems Research, vol. 21, no. 1, pp. 115-132, 2010.
8. A. Arora, C. Forman, A. Nandkumar, and R. Telang, "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, vol. 22, no. 2, pp. 164-177, 2010.
9. (http://nvd.nist.gov/) National Vulnerability Database.
10. (http://osvdb.org/) The Open Source Vulnerability Database.
11. (http://www.first.org/cvss) Forum for Incident Response and Security Teams.
12. (http://cve.mitre.org/) Common Vulnerabilities and Exposures.
13. R. Tibshirani, G. Walther, and T. Hastie, "Estimating the number of clusters in a data set via the gap statistic," Journal of the Royal Statistical Society: Series B (Statistical Methodology), vol. 63, no. 2, pp. 411-423, 2001.
14. R. Agrawal and R. Srikant, "Fast algorithms for mining association rules," in Proc. of 20th Int. Conf. on Very Large Data Bases, 1994, pp. 487-499.
15. I. H. Witten, E. Frank, L. Trigg, M. Hall, G. Holmes, and S. J. Cunningham, Weka: Practical Machine Learning Tools and Techniques with Java Implementations. Citeseer, 1999.
16. S. Clark, S. Frei, M. Blaze, and J. Smith, "Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities," in Proc. 26th Int. Annual Computer Security Applications Conf. , 2010, pp. 251-260.
17. Y. Wu, H. Siy, and R. Gandhi, "Empirical results on the study of software vulnerabilities: NIER track," in Proc. 33rd Int. Conf. on Software Engineering, 2011, pp. 964-967.
18. R. Anderson, "Why information security is hard - an economic perspective," in Proc. 17th Annual Computer Security Applications Conf. , 2001, pp. 358-365.
19. R. Telang and S. Wattal, "An empirical analysis of the impact of software vulnerability announcements on firm stock price," IEEE Transactions on Software Engineering, vol. 33, no. 8, pp. 544-557, 2007.
20. G. Schryen, "A comprehensive and comparative analysis of the patching behavior of open source and closed source software vendors," in Proc. 5th Int. Conf. on IT Security Incident Management and IT Forensics, 2009, pp. 153-168.
21. G. Vache, "Vulnerability analysis for a quantitative security evaluation," in Proc. 3rd Int. Symp. on Empirical Software Engineering and Measurement, 2009.
22. M. Bozorgi, L. K. Saul, S. Savage, and G. M. Voelker, "Beyond heuristics: Learning to classify vulnerabilities and predict exploits," in Proc. of 16th Int. Conf. on Knowledge discovery and data mining, 2010, pp. 105-114.