Title :
Analyses of Two End-User Software Vulnerability Exposure Metrics
Author :
Wright, Jason L. ; McQueen, Miles ; Wellman, Lawrence
Author_Institution :
Idaho Nat. Lab., Idaho Falls, ID, USA
Abstract :
The risk due to software vulnerabilities will not be completely resolved in the near future. Instead, putting reliable vulnerability measures into the hands of end-users so that informed decisions can be made regarding the relative security exposure incurred by choosing one software package over another is of importance. To that end, we propose two new security metrics, average active vulnerabilities (AAV) and vulnerability free days (VFD). These metrics capture both the speed with which new vulnerabilities are reported to vendors and the rate at which software vendors fix them. We then examine how the metrics are computed using currently available data sets and demonstrate their estimation in a simulation experiment using four different browsers as a case study. Finally, we discuss how the metrics may be used by the various stakeholders of software to aid usage decisions.
Keywords :
online front-ends; software fault tolerance; software metrics; software packages; AAV; VFD; average active vulnerabilities; browsers; end-user software vulnerability exposure metrics; relative security exposure; software package; usage decisions; vulnerability free days; Browsers; Databases; Google; Internet; Measurement; Security; Software; experimental security; metrics; security;
Conference_Titel :
Availability, Reliability and Security (ARES), 2012 Seventh International Conference on
Conference_Location :
Prague
Print_ISBN :
978-1-4673-2244-7
DOI :
10.1109/ARES.2012.33
