Where academic tradition
meets the exciting future

Software Vulnerability Life Cycles and the Age of Software Products: An Empirical Assertion with Operating System Products

Jukka Ruohonen, Sami Hyrynsalmi, Ville Leppänen, Software Vulnerability Life Cycles and the Age of Software Products: An Empirical Assertion with Operating System Products. In: John Krogstie, Haralambos Mouratidis, Jianwen Su (Eds.), Advanced Information Systems Engineering Workshops – CAiSE 2016 International Workshops, Ljubljana, Slovenia, June 13-17, 2016, Proceedings, Lecture Notes in Business Information Processing 249, 207–218, Springer International Publishing, 2016.

http://dx.doi.org/10.1007/978-3-319-39564-7_20

Abstract:

This empirical paper examines whether the age of software products can explain the turnaround between the release of security advisories and the publication vulnerability information. Building on the theoretical rationale of vulnerability life cycle modeling, this assertion is examined with an empirical sample that covers operating system releases from Microsoft and two Linux vendors. Estimation is carried out with a linear regression model. The results indicate that the age of the observed Microsoft products does not affect the turnaround times, and only feeble statistical relationships are present for the examined Linux releases. With this negative result, the paper contributes to the vulnerability life cycle modeling research by presenting and rejecting one theoretically motivated and previously unexplored question. The rejection is also a positive result; there is no reason for users to fear that the turnaround times would significantly lengthen as operating system releases age.

BibTeX entry:

@INPROCEEDINGS{inpRuHyLe16a,
  title = {Software Vulnerability Life Cycles and the Age of Software Products: An Empirical Assertion with Operating System Products},
  booktitle = {Advanced Information Systems Engineering Workshops – CAiSE 2016 International Workshops, Ljubljana, Slovenia, June 13-17, 2016, Proceedings},
  author = {Ruohonen, Jukka and Hyrynsalmi, Sami and Leppänen, Ville},
  volume = {249},
  series = {Lecture Notes in Business Information Processing},
  editor = {Krogstie, John and Mouratidis, Haralambos and Su, Jianwen},
  publisher = {Springer International Publishing},
  pages = {207–218},
  year = {2016},
  keywords = {Security patching, Operating system, Negative result, Microsoft, Linux},
  ISSN = {1865-1348},
}

Belongs to TUCS Research Unit(s): Software Development Laboratory (SwDev)

Publication Forum rating of this publication: level 1

Edit publication