Modeling vulnerability discovery process in Apache and IIS HTTP servers

Abstract

Vulnerability discovery models allow prediction of the number of vulnerabilities that are likely to be discovered in the future. Hence, they allow the vendors and the end users to manage risk by optimizing resource allocation. Most vulnerability discovery models proposed use the time as an independent variable. Effort-based modeling has also been proposed, which requires the use of market share data. Here, the feasibility of characterizing the vulnerability discovery process in the two major HTTP servers, Apache and IIS, is quantitatively examined using both time and effort-based vulnerability discovery models, using data spanning more than a decade. The data used incorporates the effect of software evolution for both servers. In addition to aggregate vulnerabilities, different groups of vulnerabilities classified using both the error types and severity levels are also examined. Results show that the selected vulnerability discovery models of both types can fit the data of the two HTTP servers very well. Results also suggest that separate modeling for an individual class of vulnerabilities can be done. In addition to the model fitting, predictive capabilities of the two models are also examined. The results demonstrate the applicability of quantitative methods to widely-used products, which have undergone evolution.