Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.4.921

Quantitative Scoring System on the Importance of Software Vulnerabilities  

Ahn, Joonseon (Korea Aerospace University)
Chang, Byeong-Mo (Sookmyung Women's University)
Lee, Eunyoung (Dongduk Women's University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.4, 2015 , pp. 921-932 More about this Journal
Abstract
We proposed a new scoring system on software vulnerabilities, which calculates quantitatively the severity of software vulnerabilities. The proposed scoring system consists of metrics for vulnerability severity and scoring equations; the metrics are designed to measure the severity of a software vulnerability considering the prevalence of the vulnerability, the risk level of the vulnerability, the domestic market share of the software and the frequency of the software. We applied the proposed scoring system to domestically reported software vulnerabilities, and discussed the effectiveness of the scoring system, comparing it with CVSS and CWSS. We also suggested the prospective utilization areas of the proposed scoring system.
Keywords
software security; software weakness; software vulnerability; scoring system;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 Gartner, "Now is the time for security at application level," http://www.gartner.com/id=487227, December, 2005.
2 Chan-Kyu Park, Hyong-Shik Kim, Tae Jin Lee, Jae-Cheol Ryou, "Function partitioning methods for malware variant similarity comparison," Journal of The Korea Institute of information Security & Cryptology, 25(2), pp. 321-330, Apr. 2015   DOI
3 Min Jae Jo, Ji Sun Shin, "Study on Security Vulnerabilities of Implicit Intents in Android," Journal of The Korea Institute of information Security & Cryptology, 24(6), pp. 1175-1184, Dec. 2014   DOI
4 Jinseok Park, Heesoo Kang, Seungjoo Kim, "How to Combine Secure Software Development Lifecycle into Common Criteria," Journal of The Korea Institute of information Security & Cryptology, 24(1), pp. 171-182, Feb. 2014   DOI
5 Common Weakness Enumeration (CWE), http://cwe.mitre.org/
6 Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org
7 National Vulnerability Database (NVD), http://nvd.nist.gov
8 2011 CWE/SANS Top 25 Most Dangerous Software Errors, http://cwe.mitre.org/top25/
9 2010 OWASP (The Open Web Application Security Project) Top 10, http://www.owasp.org
10 Software development security, Guideline for governmental software systems, Chapter 6, http://www.law.go.kr/LSW/admRulInfoP.do?admRulSeq=2000000099405
11 Bounty program for new SW vulnerabilities, Korea Internet & Security Agency Korea Internet Security Center (KISC), https://www.krcert.or.kr/kor/consult/consult_04.jsp
12 Common Weakness Scoring System (CWSS), http://cwe.mitre.org/cwss/
13 Common Vulnerability Scoring System (CVSS-SIG), http://www.first.org/cvss
14 CAPEC - Common Attack Pattern Enumeration and Classification, http://capec.mitre.org/
15 Joonseon Ahn, Byeong-Mo Chang, Eunyoung Lee, "Research on Software Vulnerability Scoring Systems," Korea Internet & Security Agency, Korea, 2013