An Empirical Methodology to Evaluate Vulnerability Discovery Models

Massacci, Fabio; Nguyễn, Việt Hùng

doi:10.1109/tse.2014.2354037

Cited by 39 publications

(34 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When a vulnerability is fixed by only adding lines of code, there will be no evidence to track, and the authors in [20] conservatively assume that in such cases the whole version prior the fix (namely, code(r 0 )) is vulnerable. This screening test was appropriate for the empirical analysis of Vulnerability Discovery Models [39], which are typically based on the NVD and its cautious assumption "r 0 is vulnerable and so are all its previous versions" (see [20]), as this would create a consistent approximation of the NVD. Essentially, the overall approach can be seen as an instance of the generic screening test that we defined in Algorithm 1.…”

Section: Deletion Screening Criterionmentioning

confidence: 99%

A Screening Test for Disclosed Vulnerabilities in FOSS Components

Dashevskyi

Brucker

Massacci

2019

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

Abstract-Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities-in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes. Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all.

show abstract

Section: Deletion Screening Criterionmentioning

confidence: 99%

A Screening Test for Disclosed Vulnerabilities in FOSS Components

Dashevskyi

Brucker

Massacci

2019

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The simplest metric is time (since release), and the corresponding model is a Vulnerability Discovery Model. Massacci and Nguyen [14] provide a comprehensive survey and independent empirical validation of several vulnerability discovery models. Several other metrics have been used: code complexity metrics [25,24,16], developer activity metrics [24], static analysis defect densities [27], frequencies of occurrence of programming constructs [21,28], etc.…”

Section: Related Workmentioning

confidence: 99%

On the Security Cost of Using a Free and Open Source Component in a Proprietary Product

Dashevskyi

Brucker

Massacci

2016

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (e. g., development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.

show abstract

“…2 As a rule rather than an exception, the security patches from both Red Hat and Microsoft have covered multiple vulnerabilities. Although these counting issues are known to affect estimates (Massacci and Nguyen, 2014), the use of security advisories does not invalidate the theoretical premises as such; regardless whether the known vulnerabilities are observed individually or in groups, the resulting trends should follow a sigmoidal growth trend.…”

Section: Datamentioning

confidence: 99%

“…The literature contains an abundant amount of sigmoid functions for S-shaped growth patterns (Höök et al, 2011;López et al, 2004;Massacci and Nguyen, 2014;Meade and Islam, 2006;Wang et al, 2014;Zwietering et al, 1990). A classical example is the famous function that Gompertz (1825) formulated to determine the rate of mortality.…”

Section: Growth Curvesmentioning

confidence: 99%