Empirical study of the life-cycle of security vulnerabilities.
- Stefan Frei, Martin May, Ulrich Fiedler, Bernhard Plattner
- September 11, 2006, ACM SIGCOMM 2006 Workshop
The security level of networks and systems is determined by the software vulnerabilities of its elements. Defending against large scale attacks requires a quantitative understanding of the vulnerability lifecycle. Specifically, one has to understand how exploitation and remediation of vulnerabilities, as well as the distribution of information thereof is handled by industry.
In this paper, we examine how vulnerabilities are handled in large-scale, analyzing more than 80,000 security advisories published since 1995. Based on this information, we quantify the performance of the security industry as a whole. We discover trends and discuss their implications. We quantify the gap between ex- ploit and patch availability and provide an analytical representation of our data which lays the foundation for further analysis and risk management.