Abstract

Vulnerability discovery models allow prediction of the number of vulnerabilities that are likely to be discovered in the future. Hence, they allow the vendors and the end users to manage risk by optimizing resource allocation. Most vulnerability discovery models proposed use the time as an independent variable. Effort-based modeling has also been proposed, which requires the use of market share data. Here, the feasibility of characterizing the vulnerability discovery process in the two major HTTP servers, Apache and IIS, is quantitatively examined using both time and effort-based vulnerability discovery models, using data spanning more than a decade. The data used incorporates the effect of software evolution for both servers. In addition to aggregate vulnerabilities, different groups of vulnerabilities classified using both the error types and severity levels are also examined. Results show that the selected vulnerability discovery models of both types can fit the data of the two HTTP servers very well. Results also suggest that separate modeling for an individual class of vulnerabilities can be done. In addition to the model fitting, predictive capabilities of the two models are also examined. The results demonstrate the applicability of quantitative methods to widely-used products, which have undergone evolution.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.