Which is the right source for vulnerability studies? An empirical analysis on Mozilla Firefox

F. Massacci, V.H. Nguyen

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Recent years have seen a trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many papers focused on vulnerability discovery models based upon either a public vulnerability databases (e.g., CVE, NVD), or vendor ones (e.g., MFSA). Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. We provide an analytical comparison of different security metric papers and the relative data sources. We also show, based on experimental data for Mozilla Firefox, how using different data sources might lead to completely different results. © 2010 ACM.
Original languageEnglish
Title of host publication6th International Workshop on Security Measurements and Metrics, MetriSec 2010
DOIs
Publication statusPublished - 2010
Externally publishedYes
Event6th International Workshop on Security Measurements and Metrics, MetriSec 2010 - , Italy
Duration: 15 Sept 201015 Sept 2010

Publication series

Name6th International Workshop on Security Measurements and Metrics, MetriSec 2010

Conference

Conference6th International Workshop on Security Measurements and Metrics, MetriSec 2010
Country/TerritoryItaly
Period15/09/1015/09/10

Fingerprint

Dive into the research topics of 'Which is the right source for vulnerability studies? An empirical analysis on Mozilla Firefox'. Together they form a unique fingerprint.

Cite this