An Idea of an Independent Validation of Vulnerability Discovery Models

  • Viet Hung Nguyen
  • Fabio Massacci
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7159)


Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software security. Thus far, several models have been proposed with some evidence supporting their goodness-of-fit. In this work we describe an independent validation of the applicability of these models to the vulnerabilities of the popular browsers Firefox, Google Chrome and Internet Explorer. The result shows that some VMDs do not simply fit the data, while for others there are both positive and negative evidences.


Software Reliability Independent Validation Secure Computing Software Reliability Model Software Life Cycle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alhazmi, O., Malaiya, Y.: Modeling the vulnerability discovery process. In: Proc. of the 16th IEEE Int. Symp. on Software Reliab. Eng., ISSRE 2005 (2005)Google Scholar
  2. 2.
    Alhazmi, O., Malaiya, Y.: Quantitative vulnerability assessment of systems software. In: Proc. of RAMS 2005 (2005)Google Scholar
  3. 3.
    Alhazmi, O., Malaiya, Y.: Application of vulnerability discovery models to major operating systems. IEEE Trans. on Reliab. 57(1), 14–22 (2008)CrossRefGoogle Scholar
  4. 4.
    Alhazmi, O., Malaiya, Y., Ray, I.: Security Vulnerabilities in Software Systems: A Quantitative Perspective. In: Jajodia, S., Wijesekera, D. (eds.) Data and Applications Security 2005. LNCS, vol. 3654, pp. 281–294. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Anderson, R.: Sec. in open versus closed systems - the dance of Boltzmann, Coase and Moore. In: Proc. of Open Source Soft.: Economics, Law and Policy (2002)Google Scholar
  6. 6.
    Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing 1(1), 11–33 (2004)CrossRefGoogle Scholar
  7. 7.
    Krsul, I.: Software Vulnerability Analysis. PhD thesis, Purdue University (1998)Google Scholar
  8. 8.
    Massacci, F., Neuhaus, S., Nguyen, V.H.: After-Life Vulnerabilities: A Study on Firefox Evolution, its Vulnerabilities and Fixes. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 195–208. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Massacci, F., Nguyen, V.H.: Which is the right source for vulnerabilities studies? an empirical analysis on mozilla firefox. In: Proc. of MetriSec 2010 (2010)Google Scholar
  10. 10.
    R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing (2011) ISBN 3-900051-07-0Google Scholar
  11. 11.
    Rescorla, E.: Is finding security holes a good idea? IEEE S&P 3(1), 14–19 (2005)Google Scholar
  12. 12.
    Schneider, F.B.: Trust in cyberspace. National Academy Press (1991)Google Scholar
  13. 13.
    Sliwerski, J., Zimmermann, T., Zeller, A.: When do changes induce fixes? In: Proc. of the 2nd Int. Working Conf. on Mining Soft. Repo. MSR 2005 (2005)Google Scholar
  14. 14.
    Woo, S., Alhazmi, O., Malaiya, Y.: An analysis of the vulnerability discovery process in web browsers. In: Proc. of 10th IASTED SEA 2006 (2006)Google Scholar
  15. 15.
    Woo, S., Joh, H., Alhazmi, O., Malaiya, Y.: Modeling vulnerability discovery process in apache and iis http servers. C&S 30(1), 50–62 (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Viet Hung Nguyen
    • 1
  • Fabio Massacci
    • 1
  1. 1.Università degli Studi di TrentoTrentoItaly

Personalised recommendations