Measuring and Modeling Software Vulnerability Security Advisory Platforms

Miranda, Lucas; Vieira, D.; Nogueira, Mateus; Ventura, Leonardo; Bicudo, Miguel; Martins, Matheus; Senos, Lucas; Aguiar, Leandro Pfleger de; Lovat, Enrico; Menasché, Daniel Sadoc

doi:10.1007/978-3-030-68887-5_2

Cited by 4 publications

(1 citation statement)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Succinctly, by reducing the memory of Little's Law we are less sensitive to history, and more sensitive to changes in the rates. Little's law was recently applied to CVE production times by other researchers [Miranda et al 2021], but they did not make use of it as a predictor or measure its predictive power against other forecasting models as we have done here. Our work can be seen as independent conirmation of the applicability of Little's Law to the problem space.…”

Section: Litle's Law Exit Ratementioning

confidence: 99%

Vulnerability Forecasting: Theory and Practice

2022

View full text Add to dashboard Cite

It is possible to forecast the volume of CVEs released within a time frame with a given prediction interval. For example, the number of CVEs published between now and 365 days from now can be predicted a year in advance within 8% of the actual value. Different predictive algorithms perform well at different lookahead values other than 365 days, such as monthly, quarterly, and half year. It is also possible to estimate the proportions of that total volume belonging to specific vendors, software, CVSS scores, or vulnerability types. Some vendors and products can be predicted with accuracy, others with too much uncertainty to be practically useful. This paper documents which ones are amenable to being forecasted. Strategic patch management should become much easier with these tools, and further uncertainty reductions can be built from the methodologies in this paper.

show abstract

Section: Litle's Law Exit Ratementioning

confidence: 99%