Analyses Of Two End-User Software Vulnerability Exposure Metrics
The risk due to software vulnerabilities will not be completely resolved in the near future. Instead, putting reliable vulnerability measures into the hands of end-users so that informed decisions can be made regarding the relative security exposure incurred by choosing one software package over another is of importance. To that end, we propose two new security metrics, average active vulnerabilities (AAV) and vulnerability free days (VFD). These metrics capture both the speed with which new vulnerabilities are reported to vendors and the rate at which software vendors fix them. We then examine how the metrics are computed using currently available datasets and demonstrate their estimation in a simulation experiment using four different browsers as a case study. Finally, we discuss how the metrics may be used by the various stakeholders of software and to software usage decisions.
- Research Organization:
- Idaho National Lab. (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- DE-AC07-05ID14517
- OSTI ID:
- 1054309
- Report Number(s):
- INL/CON-12-24842
- Resource Relation:
- Conference: ARES: Intl. Conf. on Availability, Reliability and Security,Prague, Czech Republic,08/20/2012,08/24/2012
- Country of Publication:
- United States
- Language:
- English
Similar Records
GRIDCHAIN: AN AUDITABLE BLOCKCHAIN FOR SMART GRID DATA INTEGRITY AND IMMUTABILITY
Interim Final Report for the Strengthening Retrofit Markets for Comprehensive Savings in Multifamily Buildings