Using CVSS to quantitatively analyze risks to software caused by vulnerabilities
Quantitative methods for evaluating and managing software security are becoming reliable with the ever increasing vulnerability datasets. The Common Vulnerability Scoring System (CVSS) provides a way to quantitatively evaluate individual vulnerability. However it cannot be applied to evaluate softwa...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
EDP Sciences
2015-01-01
|
| Series: | MATEC Web of Conferences |
| Online Access: | http://dx.doi.org/10.1051/matecconf/20153116004 |
| _version_ | 1819275247143092224 |
|---|---|
| author | Gao Jian-Bo Zhang Bao-Wen Chen Xiao-Hua |
| author_facet | Gao Jian-Bo Zhang Bao-Wen Chen Xiao-Hua |
| author_sort | Gao Jian-Bo |
| collection | DOAJ |
| description | Quantitative methods for evaluating and managing software security are becoming reliable with the ever
increasing vulnerability datasets. The Common Vulnerability Scoring System (CVSS) provides a way to
quantitatively evaluate individual vulnerability. However it cannot be applied to evaluate software risk directly and some metrics of CVSS are hard to assess. To overcome these shortcomings, this paper presents a novel method, which combines the CVSS base score with market share and software patches, to quantitatively evaluate the software risk. It is based on CVSS and includes three indicators: Absolute Severity Value (ASV), Relative Severity Value (RSV) and Severity Value Variation Rate (SVVR). Experimental results indicate that by using these indicators, the method can quantitatively describe the risk level of software systems, and thus strengthen software security. |
| first_indexed | 2024-12-23T23:21:17Z |
| format | Article |
| id | doaj.art-9856f4abbb6a41d584fdd85925556f9b |
| institution | Directory Open Access Journal |
| issn | 2261-236X |
| language | English |
| last_indexed | 2024-12-23T23:21:17Z |
| publishDate | 2015-01-01 |
| publisher | EDP Sciences |
| record_format | Article |
| series | MATEC Web of Conferences |
| spelling | doaj.art-9856f4abbb6a41d584fdd85925556f9b2022-12-21T17:26:20ZengEDP SciencesMATEC Web of Conferences2261-236X2015-01-01311600410.1051/matecconf/20153116004matecconf_icmee2015_16004Using CVSS to quantitatively analyze risks to software caused by vulnerabilitiesGao Jian-BoZhang Bao-Wen0Chen Xiao-Hua1Information Security Department of Shanghai Jiao Tong UniversityChina Information Security Certification CenterQuantitative methods for evaluating and managing software security are becoming reliable with the ever increasing vulnerability datasets. The Common Vulnerability Scoring System (CVSS) provides a way to quantitatively evaluate individual vulnerability. However it cannot be applied to evaluate software risk directly and some metrics of CVSS are hard to assess. To overcome these shortcomings, this paper presents a novel method, which combines the CVSS base score with market share and software patches, to quantitatively evaluate the software risk. It is based on CVSS and includes three indicators: Absolute Severity Value (ASV), Relative Severity Value (RSV) and Severity Value Variation Rate (SVVR). Experimental results indicate that by using these indicators, the method can quantitatively describe the risk level of software systems, and thus strengthen software security.http://dx.doi.org/10.1051/matecconf/20153116004 |
| spellingShingle | Gao Jian-Bo Zhang Bao-Wen Chen Xiao-Hua Using CVSS to quantitatively analyze risks to software caused by vulnerabilities MATEC Web of Conferences |
| title | Using CVSS to quantitatively analyze risks to software caused by
vulnerabilities |
| title_full | Using CVSS to quantitatively analyze risks to software caused by
vulnerabilities |
| title_fullStr | Using CVSS to quantitatively analyze risks to software caused by
vulnerabilities |
| title_full_unstemmed | Using CVSS to quantitatively analyze risks to software caused by
vulnerabilities |
| title_short | Using CVSS to quantitatively analyze risks to software caused by
vulnerabilities |
| title_sort | using cvss to quantitatively analyze risks to software caused by vulnerabilities |
| url | http://dx.doi.org/10.1051/matecconf/20153116004 |
| work_keys_str_mv | AT gaojianbo usingcvsstoquantitativelyanalyzeriskstosoftwarecausedbyvulnerabilities AT zhangbaowen usingcvsstoquantitativelyanalyzeriskstosoftwarecausedbyvulnerabilities AT chenxiaohua usingcvsstoquantitativelyanalyzeriskstosoftwarecausedbyvulnerabilities |