Dissertation/Thesis Abstract

Software vulnerabilities: Lifespans, metrics, and case study
by Wright, Jason L., M.S., University of Idaho, 2014, 117; 1556964
Abstract (Summary)

It is difficult for end-users to judge the risk posed by software security vulnerabilities. This thesis examines three aspects of the software security vulnerability ecosystem to determine if commonly used metrics are based on sound engineering principles.

First, the decision by several security research firms to decrease the grace period before publicly releasing vulnerability details was examined. No evidence was found suggest that periods less than 6 months are effective.

Second, two new metrics are presented which are more easily computed, repeatable, and verifiable than previous metrics. Both metrics provide the ability to compare software packages based on number of vulnerabilities and vendor response time.

Third, metrics based strictly on known vulnerabilities are brought into question. The number of bugs which represent vulnerabilities is estimated for a particular package and the estimated number of resulting vulnerabilities is found to be far greater than the currently known vulnerabilities.

Indexing (document details)
Advisor: Manic, Milos
Commitee: Dinolt, George W., McQueen, Miles A.
School: University of Idaho
Department: Computer Science
School Location: United States -- Idaho
Source: MAI 53/01M(E), Masters Abstracts International
Source Type: DISSERTATION
Subjects: Computer Engineering, Computer science
Keywords: Security, Vulnerabilities
Publication Number: 1556964
ISBN: 9781303934841