查看文章

Quantitative approaches for software security are needed for effective testing, maintenance and risk assessment of software systems. Vulnerabilities that are present in an operating system after its release represent a great risk. Vulnerability discovery models (VDMs) have been proposed to model vulnerability discovery and have has been fined to vulnerability data against calendar time. The models have been shown to fit very well. In this paper, we investigate the prediction capabilities that these models offer by evaluating accuracy of predictions made with partial data. We examine both the recently proposed logistic model and a new linear model. In addition to VDMs, we consider static approaches to estimating some of the major attributes of the vulnerability discovery process, presenting a static approach to estimating the initial values of one of the VDM's parameters. We also suggest the use of constraints for …