{"title":"两个终端用户软件漏洞暴露度量(扩展版本)分析","authors":"Jason L. Wright, Miles McQueen, Lawrence Wellman","doi":"10.1016/j.istr.2013.02.002","DOIUrl":null,"url":null,"abstract":"<div><p>Understanding the exposure risk of software vulnerabilities is an important part of the software ecosystem. Reliable software vulnerability metrics allow end-users to make informed decisions regarding the risk posed by the choice of one software package versus another. In this article, we develop and analyze two new security metrics: median active vulnerabilities (MAV) and vulnerability free days (VFD). Both metrics take into account both the rate of vulnerability discovery and the rate at which vendors produce corresponding patches. We examine how our metrics are computed from publicly available data sets and then demonstrate their use in a case study with various vendors and products. Finally, we discuss the use of the metrics by various software stakeholders and how end-users can benefit from their use.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"17 4","pages":"Pages 173-184"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2013.02.002","citationCount":"3","resultStr":"{\"title\":\"Analyses of two end-user software vulnerability exposure metrics (extended version)\",\"authors\":\"Jason L. Wright, Miles McQueen, Lawrence Wellman\",\"doi\":\"10.1016/j.istr.2013.02.002\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Understanding the exposure risk of software vulnerabilities is an important part of the software ecosystem. Reliable software vulnerability metrics allow end-users to make informed decisions regarding the risk posed by the choice of one software package versus another. In this article, we develop and analyze two new security metrics: median active vulnerabilities (MAV) and vulnerability free days (VFD). Both metrics take into account both the rate of vulnerability discovery and the rate at which vendors produce corresponding patches. We examine how our metrics are computed from publicly available data sets and then demonstrate their use in a case study with various vendors and products. Finally, we discuss the use of the metrics by various software stakeholders and how end-users can benefit from their use.</p></div>\",\"PeriodicalId\":100669,\"journal\":{\"name\":\"Information Security Technical Report\",\"volume\":\"17 4\",\"pages\":\"Pages 173-184\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-05-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"https://sci-hub-pdf.com/10.1016/j.istr.2013.02.002\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information Security Technical Report\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1363412713000125\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Security Technical Report","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1363412713000125","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Analyses of two end-user software vulnerability exposure metrics (extended version)
Understanding the exposure risk of software vulnerabilities is an important part of the software ecosystem. Reliable software vulnerability metrics allow end-users to make informed decisions regarding the risk posed by the choice of one software package versus another. In this article, we develop and analyze two new security metrics: median active vulnerabilities (MAV) and vulnerability free days (VFD). Both metrics take into account both the rate of vulnerability discovery and the rate at which vendors produce corresponding patches. We examine how our metrics are computed from publicly available data sets and then demonstrate their use in a case study with various vendors and products. Finally, we discuss the use of the metrics by various software stakeholders and how end-users can benefit from their use.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
