Periodicity in software vulnerability discovery, patching and exploitation

Joh, HyunChul; Malaiya, Yashwant K.

doi:10.1007/s10207-016-0345-x

Cited by 12 publications

(7 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In contrast, it would be surprising if a software engineering study would not reveal longitudinal effects in a period covering almost a decade. The result is also familiar from comparable studies about vulnerability coordination [88] and time series aspects of vulnerability archiving [37,106]. If avoiding delays is important, the results can be also used to conjecture that "do not request CVEs during weekends".…”

Section: Main Findingsmentioning

confidence: 88%

“…There exists also monthly variation in the delays. In addition to annual holidays, another reason may relate to security conferences and related events that tend to spike the public disclosure of new vulnerabilities [37]. In any case, it is simpler to interpret the positive effect of WEEKEND.…”

Section: Regression Estimatesmentioning

confidence: 99%

“…Given the fairly complex time series dynamics arising from the archiving of vulnerabilities to NVD and related tracking infrastructures [37,106], a further set of eleven dummy variables is included for controlling potential monthly variation in the coordination delays. The T oss-security 1 , .…”

Section: Control Metricsmentioning

confidence: 99%

See 2 more Smart Citations

A case study on software vulnerability coordination

Ruohonen

Rauti

Hyrynsalmi

et al. 2018

Information and Software Technology

View full text Add to dashboard Cite

Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list. Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated. Method : Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling. Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics. Conclusion: Software vulnerability and CVE coordination exhibit all typical traits of software engineering coordination in general. The coordination perspective elaborated and the case studied open new avenues for further empirical inquiries as well as practical improvements for the contemporary CVE coordination.

show abstract

Section: Main Findingsmentioning

confidence: 88%

Section: Regression Estimatesmentioning

confidence: 99%

See 1 more Smart Citation

A case study on software vulnerability coordination

Ruohonen

Rauti

Hyrynsalmi

et al. 2018

Information and Software Technology

View full text Add to dashboard Cite

show abstract

“…Actually, in the paper, the authors does not empathize the seasonal datasets, but four quantifiable and distinct characteristics which can be found in software vulnerabilities: Half-life, Prevalence, Persistence and Exploitation. However, among the datasets what day presents turns out that there are indeed periodic patterns [7]. Half-life represents "time interval for reducing occurrence of a vulnerability by half.…”

Section: Discussionmentioning

confidence: 99%

Seasonality and Software Vulnerabilities in Major Database Management Systems

Joh

2020

EJERS

Self Cite

View full text Add to dashboard Cite

Popularity and marketshare are very important index for software users and vendors since more popular systems tend to engage better user experience and environments. periodical fluctuations in the popularity and marketshare could be vital factors when we estimate the potential risk analysis in target systems. Meanwhile, software vulnerabilities, in major relational database management systems, are detected every now and then. Today, all most every organizations depend on those database systems for store and retrieve their any kinds of informations for the reasons of security, effectiveness, etc. They have to manage and evaluate the level of risks created by the software vulnerabilities so that they could avoid potential losses before the security defects damage their reputations. Here, we examine the seasonal fluctuations with respect to the view of software security risks in the four major database systems, namely MySQL, MariaDB, Oracle Database and Microsoft SQL Server.

show abstract

“…There is a significant corpus of research to examine vulnerabilities and forecast them with regression-based empirical estimation (Alhazmi et al , 2007; Cheminod et al , 2017; Massacci and Nguyen, 2014; Mitra and Ransbotham, 2015; Ransbotham et al , 2012; Ruohonen et al , 2015) and linear econometric modelling (Edwards et al , 2016; Johnson et al , 2016; Joh and Malaiya, 2017; Roumani et al , 2015; Sokol and Gajdoš, 2017; Tang et al , 2017; Woo et al , 2011). What is missing from the extant literature is an in-depth longitudinal examination of vulnerability growth pattern that can measure and forecast their behaviour from time-based history rather than cumulative cross-sectional data.…”

Section: Introductionmentioning

confidence: 99%

G-RAM framework for software risk assessment and mitigation strategies in organisations

Biswas

Mukhopadhyay

2018

JEIM

View full text Add to dashboard Cite

Purpose Malicious attackers frequently breach information systems by exploiting disclosed software vulnerabilities. Knowledge of these vulnerabilities over time is essential to decide the use of software products by organisations. The purpose of this paper is to propose a novel G-RAM framework for business organisations to assess and mitigate risks arising out of software vulnerabilities. Design/methodology/approach The G-RAM risk assessment module uses GARCH to model vulnerability growth. Using 16-year data across 1999-2016 from the National Vulnerability Database, the authors estimate the model parameters and validate the prediction accuracy. Next, the G-RAM risk mitigation module designs optimal software portfolio using Markowitz’s mean-variance optimisation for a given IT budget and preference. Findings Based on an empirical analysis, this study establishes that vulnerability follows a non-linear, time-dependent, heteroskedastic growth pattern. Further, efficient software combinations are proposed that optimise correlated risk. The study also reports the empirical evidence of a shift in efficient frontier of software configurations with time. Research limitations/implications Existing assumption of independent and identically distributed residuals after vulnerability function fitting is incorrect. This study applies GARCH technique to measure volatility clustering and mean reversal. The risk (or volatility) represented by the instantaneous variance is dependent on the immediately previous one, as well as on the unconditional variance of the entire vulnerability growth process. Practical implications The volatility-based estimation of vulnerability growth is a risk assessment mechanism. Next, the portfolio analysis acts as a risk mitigation activity. Results from this study can decide patch management cycle needed for each software – individual or group patching. G-RAM also ranks them into a 2×2 risk-return matrix to ensure that the correlated risk is diversified. Finally the paper helps the business firms to decide what to purchase and what to avoid. Originality/value Contrary to the existing techniques which either analyse with statistical distributions or linear econometric methods, this study establishes that vulnerability growth follows a non-linear, time-dependent, heteroskedastic pattern. The paper also links software risk assessment to IT governance and strategic business objectives. To the authors’ knowledge, this is the first study in IT security to examine and forecast volatility, and further design risk-optimal software portfolios.

show abstract

Periodicity in software vulnerability discovery, patching and exploitation

Cited by 12 publications

References 22 publications

A case study on software vulnerability coordination

A case study on software vulnerability coordination

Seasonality and Software Vulnerabilities in Major Database Management Systems

G-RAM framework for software risk assessment and mitigation strategies in organisations

Contact Info

Product

Resources

About