A Framework for Software Security Risk Evaluation using the Vulnerability Lifecycle and CVSS Metrics

A vulnerability that has been discovered but is unpatched represents a security risk to a system. During the lifetime of a software system, new vulnerabilities are discovered over time. There are two opposing actors, the patch developers and the potential exploiters. An exploit can happen immediately after a disclosure, perhaps even before the disclosure if the discovery is made by a black-hat finder. Here, a framework for software risk evaluation with respect to the vulnerability lifecycle is proposed. Risk can be evaluated using the likelihood of a security breach and the impact of that adverse event on the system. The proposed approach models the vulnerability lifecycle as a stochastic process. Some of the CVSS metrics can be used to evaluate the impact of the breach. The model uses the information about the transition rates with the related distributions and can lead to simplified as well as detailed modeling methods. It allows a comparison of software systems in terms of the risk and potential approaches for optimization of remediation. KeywordsSecurity vulnerabilities; Vulnerability Risk Index (VRI); CVSS; Vulnerability lifecycle