DeepAI
Log In Sign Up

A Historical and Statistical Studyof the Software Vulnerability Landscape

02/02/2021
by   Assane Gueye, et al.
0

Understanding the landscape of software vulnerabilities is key for developing effective security solutions. Fortunately, the evaluation of vulnerability databases that use a framework for communicating vulnerability attributes and their severity scores, such as the Common Vulnerability Scoring System (CVSS), can help shed light on the nature of publicly published vulnerabilities. In this paper, we characterize the software vulnerability landscape by performing a historical and statistical analysis of CVSS vulnerability metrics over the period of 2005 to 2019 through using data from the National Vulnerability Database. We conduct three studies analyzing the following: the distribution of CVSS scores (both empirical and theoretical), the distribution of CVSS metric values and how vulnerability characteristics change over time, and the relative rankings of the most frequent metric value over time. Our resulting analysis shows that the vulnerability threat landscape has been dominated by only a few vulnerability types and has changed little during the time period of the study. The overwhelming majority of vulnerabilities are exploitable over the network. The complexity to successfully exploit these vulnerabilities is dominantly low; very little authentication to the target victim is necessary for a successful attack. And most of the flaws require very limited interaction with users. However on the positive side, the damage of these vulnerabilities is mostly confined within the security scope of the impacted components. A discussion of lessons that could be learned from this analysis is presented.

READ FULL TEXT

page 1

page 4

page 5

page 8

12/11/2022

Understanding Concurrency Vulnerabilities in Linux Kernel

While there is a large body of work on analyzing concurrency related sof...
01/03/2018

A Look at the Time Delays in CVSS Vulnerability Scoring

This empirical paper examines the time delays that occur between the pub...
06/15/2020

A Suite of Metrics for Calculating the Most Significant Security Relevant Software Flaw Types

The Common Weakness Enumeration (CWE) is a prominent list of software we...
06/27/2020

Domain Name System Security and Privacy: A Contemporary Survey

The domain name system (DNS) is one of the most important components of ...
12/02/2021

A Grounded Theory Based Approach to Characterize Software Attack Surfaces

The notion of Attack Surface refers to the critical points on the bounda...
02/15/2021

Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits

Assessing the exploitability of software vulnerabilities at the time of ...
12/07/2020

Vulnerability Forecasting: In theory and practice

Why wait for zero-days when you could predict them in advance? It is pos...