MATEC Web of Conferences
Volume 31, 20152015 7th International Conference on Mechanical and Electronics Engineering (ICMEE 2015)
|Number of page(s)||3|
|Section||Computer theory and application|
|Published online||23 November 2015|
Using CVSS to quantitatively analyze risks to software caused by vulnerabilities
1 Department of Electronic and Information Engineeringof Nanchang Hangkong University, Nanchang 330063, China
2 Information Security Department of Shanghai Jiao Tong University, Shanghai 200240, China
3 China Information Security Certification Center, Beijing 100020, China
a Corresponding author: email@example.com
Quantitative methods for evaluating and managing software security are becoming reliable with the ever increasing vulnerability datasets. The Common Vulnerability Scoring System (CVSS) provides a way to quantitatively evaluate individual vulnerability. However it cannot be applied to evaluate software risk directly and some metrics of CVSS are hard to assess. To overcome these shortcomings, this paper presents a novel method, which combines the CVSS base score with market share and software patches, to quantitatively evaluate the software risk. It is based on CVSS and includes three indicators: Absolute Severity Value (ASV), Relative Severity Value (RSV) and Severity Value Variation Rate (SVVR). Experimental results indicate that by using these indicators, the method can quantitatively describe the risk level of software systems, and thus strengthen software security.
© Owned by the authors, published by EDP Sciences, 2015
This is an Open Access article distributed under the terms of the Creative Commons Attribution License 4.0, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.
Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.
Initial download of the metrics may take a while.