Vulnerability distribution scoring for software product security assessment

摘要

Objective and measurable enterprise security remains elusive despite the increasing importance of IT security in many organisations. Some security assurance tasks within the field are subject to significant theoretical and technical challenges. One area in which progress is more tangible is software security assessment. Despite some shortcomings in the available data, there is still enough information available to begin making more detailed analyses which can improve decision making on enterprise security. The current study presents an approach for software security assessment called Vulnerability Distribution Scoring which evaluates a software product based on the characteristics of the vulnerabilities it has exhibited. Results are presented from applying the approach to the national vulnerability database (NVD) and demonstrate an effective means of rating the security of software products and software vendors.