Browse > Article
http://dx.doi.org/10.33851/JMIS.2021.8.4.259

Empirical Risk Assessment in Major Graphical Design Software Systems  

Joh, HyunChul (School of Computer Science, Kyungil University)
Lee, JooYoung (School of Interdisciplinary Studies (Fashion Design Major), Kyungil University)
Publication Information
Journal of Multimedia Information System / v.8, no.4, 2021 , pp. 259-266 More about this Journal
Abstract
Security vulnerabilities have been reported in major design software systems such as Adobe Photoshop and Illustrator, which are recognized as de facto standard design tools in most of the design industries. Companies need to evaluate and manage their risk levels posed by those vulnerabilities, so that they could mitigate the potential security bridges in advance. In general, security vulnerabilities are discovered throughout their life cycles repeatedly if software systems are continually used. Hence, in this study, we empirically analyze risk levels for the three major graphical design software systems, namely Photoshop, Illustrator and GIMP with respect to a software vulnerability discovery model. The analysis reveals that the Alhazmi-Malaiya Logistic model tends to describe the vulnerability discovery patterns significantly. This indicates that the vulnerability discovery model makes it possible to predict vulnerability discovery in advance for the software systems. Also, we found that none of the examined vulnerabilities requires even a single authentication step for successful attacks, which suggests that adding an authentication process in software systems dramatically reduce the probability of exploitations. The analysis also discloses that, for all the three software systems, the predictions with evenly distributed and daily based datasets perform better than the estimations with the datasets of vulnerability reporting dates only. The observed outcome from the analysis allows software development managers to prepare proactively for a hostile environment by deploying necessary resources before the expected time of vulnerability discovery. In addition, it can periodically remind designers who use the software systems to be aware of security risk, related to their digital work environments.
Keywords
Software Security; Vulnerability Discovery Model; Adobe Photoshop; Illustrator; GIMP;
Citations & Related Records
연도 인용수 순위
  • Reference
1 O.H. Alhazmi, Y.K. Malaiya, and I. Ray, "Security Vulnerabilities in Software Systems: A Quantitative Perspective," in Proceedings of the Working Conference on Data and Information Security, pp. 281-294, 2005.
2 H. Okamura, M. Tokuzane, and T. Dohi, "Quantitative Security Evaluation for Software System from Vulnerability Database," Journal of Software Engineering and Applications, vol. 6, no. 4A, pp. 15-23, 2013.   DOI
3 A. Singh, R. K. Bansal, and N. Jha, "Open Source Software vs Proprietary Software," International Journal of Computer Applications, vol. 114 no. 18, pp. 26-31, 2015.   DOI
4 S. Dhir and S. Dhir, "Adoption of open-source software versus proprietary software: An exploratory study," Strategic Change, vol. 26, no. 4, pp. 363-371, 2017.   DOI
5 S. Sridhar, K. Altinkemer, and J. Rees, "Software Vulnerabilities: Open Source versus Proprietary Software Security," in Preceedings of Americas Conference on Information Systems, Omaha, Nebraska, USA, Aug. 2005.
6 O. H. Alhazmi and Y. K. Malaiya, "Prediction capabilities of vulnerability discovery models," in Proceedings of annual reliability and maintainability symposium, pp. 86-91, 2006.
7 D. Nettleton, Commercial Data Mining, Chapter 6 -Selection of Variables and Factor Derivation, M. Kaufmann and et al. (Eds.), Boston, pp. 79-104, 2014.
8 Y. K. Malaiya, N. Karunanithi, and P. Verma, "Predicta-bility of software reliability models," IEEE Transa-ctions on Reliability, vol. 41, no. 4, pp. 539-546, 1992.   DOI
9 N. Ullah, M. Morisio, and A. Vetro, "A Comparative Analysis of Software Reliability Growth Models using Defects Data of Closed and Open Source Software," in Proceedings of the 35th Annual IEEE Software Engineering Workshop, Greece, pp. 187-192, Oct. 2012.
10 F.K. Wai, L.W. Yong, D.M. Divakaran, and V.L.L. Thing, "Predicting vulnerability discovery rate using past versions of a software," in Proceedings of the 2018 IEEE International Conference on Service Operations and Logistics, and Informatics, pp. 220-225, 2018.
11 A. Kaya, A.S. Keceli, C. Catal, and B. Tekinerdogan, "The impact of feature types, classifiers, and data balancing techniques on software vulnerability prediction models," Journal of Software Evolution and Process, vol. 31, no. 9, 2019.
12 C.P. Pfleeger and S. L. Pfleeger, Security in Computing, 3rd ed., Prentice Hall PTR, 2003.
13 L. Allodi, "Economic Factors of Vulnerability Trade and Exploitation," in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, TX, USA, pp. 1483-1499, 2017.
14 K. Scarfone and P. Mell, "An Analysis of CVSS Version 2 Vulnerability Scoring," in Proceedings of the 2009 International Symposium on Empirical Software Engineering and Measurement, pp. 516-525, 2009.
15 O.H. Alhazmi and Y.K. Malaiya, "Application of Vulnerability Discovery Models to Major Operating Systems," IEEE Transactions on Reliability, vol. 57, no. 1, pp. 14-22, 2008.   DOI
16 H. Joh, "Assessing Web Browser Security Vulnerabilities with respect toCVSS," Journal of Korea Multimedia Society, vol. 18, no. 2, pp. 199-206, 2015.   DOI
17 Qualys Inc., "The Laws of Vulnerabilities 2.0" in Black hat 2009, 28 July 2009; https://www.qualys.com/docs/laws-of-vulnerabilities-2.0.pdf
18 H.K. Browne, W. A. Arbaugh, J. McHugh, and W.L. Fithen, "A trend analysis of exploitation', in Proceedings of IEEE Symposium on Security and Privacy, pp. 214-229, May 2001.
19 H. Joh and Y. K. Malaiya, "Modeling Skewness in Vulnerability Discovery," Quality and Reliability Engineering International, vol. 30, no. 8, pp. 1445-1459, 2014.   DOI
20 A. Boulanger, "Open-source versus proprietary software: Is one more reliable and secure than the other?," IBM Systems Journal, vol. 44, no. 2, pp. 239-248, 2005.   DOI
21 S. H. Houmb, V. N. Franqueira, and E. A. Engum, "Quantifying Security Risk Level from CVSS Estimates of Frequency and Impact," Journal of Systems and Software, vol. 83, no. 9, pp. 1622-1634, 2010.   DOI