Using CVSS to quantitatively analyze risks to software caused by
vulnerabilities

Gao Jian-Bo; Zhang Bao-Wen; Chen Xiao-Hua

doi:10.1051/matecconf/20153116004

MATEC Web of Conferences (Jan 2015)

Using CVSS to quantitatively analyze risks to software caused by vulnerabilities

Gao Jian-Bo,
Zhang Bao-Wen,
Chen Xiao-Hua

Affiliations

Gao Jian-Bo
Zhang Bao-Wen: Information Security Department of Shanghai Jiao Tong University
Chen Xiao-Hua: China Information Security Certification Center

DOI: https://doi.org/10.1051/matecconf/20153116004
Journal volume & issue: Vol. 31
p. 16004

Abstract

Read online

Quantitative methods for evaluating and managing software security are becoming reliable with the ever increasing vulnerability datasets. The Common Vulnerability Scoring System (CVSS) provides a way to quantitatively evaluate individual vulnerability. However it cannot be applied to evaluate software risk directly and some metrics of CVSS are hard to assess. To overcome these shortcomings, this paper presents a novel method, which combines the CVSS base score with market share and software patches, to quantitatively evaluate the software risk. It is based on CVSS and includes three indicators: Absolute Severity Value (ASV), Relative Severity Value (RSV) and Severity Value Variation Rate (SVVR). Experimental results indicate that by using these indicators, the method can quantitatively describe the risk level of software systems, and thus strengthen software security.

Published in MATEC Web of Conferences

ISSN: 2261-236X (Online)
Publisher: EDP Sciences
Country of publisher: France
LCC subjects: Technology: Engineering (General). Civil engineering (General)
Website: http://www.matec-conferences.org

About the journal