We often find papers suggesting this or that Vulnerability Discovery Model
(VDM), from thermodynamics to logistics, deriving more or less stretched
economics conclusions. In this work I will report an empirical study on the
popular browsers Firefox, Google Chrome and Internet Explorer covering
several years and several versions.
I will describe our discovery and concepts such as the notion of after-life
vulnerability (around a third or vulnerability are discovered after the
version goes out of support) and the validation of the old Milk-or-Wine
study. We have analyzed the impact of vulnerability data sets based on
different definitions of vulnerability to the VDM's performance. The result
shows that some VMDs do not simply fit the data (no matter how computed),
while for others there is both positive and negative evidence.
The only (positive) conclusion of this study is that using "confirmed"
vulnerabilities yields more stable result.
Fabio Massacci received a M.Eng. in 1993 and Ph.D. in Computer Science and
Engineering at University of Rome La Sapienza in 1998. He visited Cambridge
University in 1996-97
and was visiting researcher at IRIT Toulouse in 2000. He joined the
University of Siena as Assistant Professor in 1999, and in 2001 he went to
Trento where he is now full professor.
His research interests are in security requirements engineering and
verification and load-time security for mobile and embedded systems
(Security-by-Contract). His current h-index is X (Google Scholar) and Y
Save to your Calendar