Title :
Optimal Security Patch Release Timing under Non-homogeneous Vulnerability-Discovery Processes
Author :
Okamura, Hiroyuki ; Tokuzane, Masataka ; Dohi, Tadashi
Author_Institution :
Dept. of Inf. Eng., Hiroshima Univ., Higashi-Hiroshima, Japan
Abstract :
This paper proposes a patch management model with non-homogeneous vulnerability-discovery processes to find the optimal security patch release times. The proposed model is an extension of Cavusoglu et al. (2006, 2008) by applying non-homogeneous vulnerability-discovery processes which are based on a vulnerability life-cycle model, and provides the optimal schedule for security patch release times over a software life cycle by means of cost analysis. In numerical examples, we show that the optimal patch release policy becomes an aperiodic release strategy, and compare the minimum cost under the optimal policy with that under a periodic release strategy. In addition, based on opened vulnerability data, we illustrate the optimal security patch release policy for a real software product.
Keywords :
security of data; software engineering; aperiodic release strategy; cost analysis; nonhomogeneous vulnerability-discovery processes; optimal patch release policy; optimal schedule; optimal security patch release policy; optimal security patch release timing; patch management model; real software product; software life cycle; vulnerability life-cycle model; Computer security; Cost function; Data security; Engineering management; Information security; Reliability engineering; Software reliability; Software systems; Software testing; Timing; non-homogeneous Poisson process; patch management; vulnerability-discovery process;
Conference_Titel :
Software Reliability Engineering, 2009. ISSRE '09. 20th International Symposium on
Conference_Location :
Mysuru, Karnataka
Print_ISBN :
978-1-4244-5375-7
Electronic_ISBN :
1071-9458
DOI :
10.1109/ISSRE.2009.19
