{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,18]],"date-time":"2026-01-18T18:53:16Z","timestamp":1768762396791,"version":"3.49.0"},"reference-count":41,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2015,3,27]],"date-time":"2015-03-27T00:00:00Z","timestamp":1427414400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Software Qual J"],"published-print":{"date-parts":[[2016,3]]},"DOI":"10.1007\/s11219-015-9274-6","type":"journal-article","created":{"date-parts":[[2015,3,27]],"date-time":"2015-03-27T15:26:25Z","timestamp":1427469985000},"page":"159-202","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":38,"title":["Assessing vulnerability exploitability risk using software properties"],"prefix":"10.1007","volume":"24","author":[{"given":"Awad","family":"Younis","sequence":"first","affiliation":[]},{"given":"Yashwant K.","family":"Malaiya","sequence":"additional","affiliation":[]},{"given":"Indrajit","family":"Ray","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2015,3,27]]},"reference":[{"key":"9274_CR1","doi-asserted-by":"crossref","unstructured":"Alhazmi, O. H., & Malaiya,Y. K. (2005). Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE international symposium on software reliability engineering (ISSRE\u201905) (pp. 1\u201310). doi: 10.1109\/ISSRE.2005.30 .","DOI":"10.1109\/ISSRE.2005.30"},{"issue":"3","key":"9274_CR2","doi-asserted-by":"crossref","first-page":"219","DOI":"10.1016\/j.cose.2006.10.002","volume":"26","author":"OH Alhazmi","year":"2007","unstructured":"Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219\u2013228. doi: 10.1016\/j.cose.2006.10.002 .","journal-title":"Computers & Security"},{"key":"9274_CR3","doi-asserted-by":"crossref","unstructured":"Allodi, L., & Massacci, F. (2012). A preliminary analysis of vulnerability scores for attacks in wild. In: Proceedings of the 2012 ACM workshop on Building analysis datasets and gathering experience returns for security (BADGERS 12) (pp. 17\u201324). ISBN: 978-1-4503-1661-3. doi: 10.1145\/2382416.2382427","DOI":"10.1145\/2382416.2382427"},{"key":"9274_CR4","unstructured":"Allodi, L., & Massacci, F. (2013). My Software has a vulnerability, should I worry? Corrnel Univsity Library (pp. 12). arXiv:1301.1275. http:\/\/www.arxiv.org\/pdf\/1301.1275v3.pdf . Accessed 2 Aug 2013."},{"key":"9274_CR5","doi-asserted-by":"crossref","unstructured":"Allodi, L., Shim, W., & Massacci, F. (2013). Quantitative Assessment of risk reduction with cybercrime black market monitoring. IEEE Security and Privacy Workshops (SPW) (pp. 165\u2013172). doi: 10.1109\/SPW.2013.16","DOI":"10.1109\/SPW.2013.16"},{"key":"9274_CR6","unstructured":"Apache-SVN. (2014). the apache software foundation. http:\/\/www.svn.apache.org\/viewvc\/ . Accessed 27 Mar 2014."},{"issue":"12","key":"9274_CR7","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1109\/2.889093","volume":"33","author":"WA Arbaugh","year":"2000","unstructured":"Arbaugh, W. A., Fithen, W. L., & John, M. (2000). Windows of vulnerability: A case study analysis. Computer, 33(12), 52\u201359. doi: 10.1109\/2.889093 .","journal-title":"Computer"},{"key":"9274_CR8","unstructured":"Archive.apache.org. (2014). The apache software foundation. http:\/\/www.archive.apache.org\/dist\/httpd\/ . Accessed 2 Aug 2014."},{"issue":"3","key":"9274_CR9","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1145\/2560217.2560219","volume":"26","author":"T Avgerinos","year":"2014","unstructured":"Avgerinos, T., Cha, S. K., Rebert, A., Schwartz, E. J., Woo, M., & Brumley, D. (2014). Automatic exploit generation. Communications of the ACM, 26(3), 74\u201384. doi: 10.1145\/2560217.2560219 .","journal-title":"Communications of the ACM"},{"key":"9274_CR10","doi-asserted-by":"crossref","unstructured":"Bhattacharya, P., Iliofotou, M., Neamtiu, I., & Faloutsos, M. (2012). Graph-based analysis and prediction for software evolution. In: Proceedings of the 34th international conference on software engineering (ICSE \u201812) (pp. 419\u2013429). ISBN: 978-1-4673-1067-3.","DOI":"10.1109\/ICSE.2012.6227173"},{"key":"9274_CR11","doi-asserted-by":"crossref","unstructured":"Bozorgi, M., Saul, L. K., Savage, S., & Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining (KDD \u201810) (pp. 105\u2013114). doi: 10.1145\/1835804.1835821","DOI":"10.1145\/1835804.1835821"},{"key":"9274_CR12","unstructured":"Brenneman, D. (2012). Improving software security by identifying and securing paths linking attack surface to attack target. McCabe Software Inc. White Paper. http:\/\/www.mccabe.com\/ . Accessed 4 Aug 2014."},{"issue":"1","key":"9274_CR13","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1109\/52.976940","volume":"19","author":"D Evans","year":"2002","unstructured":"Evans, D., & Larochelle, D. (2002). Improving security using extensible lightweight static analysis. IEEE Software, 19(1), 42\u201351. doi: 10.1109\/52.976940 .","journal-title":"IEEE Software"},{"issue":"3","key":"9274_CR14","doi-asserted-by":"crossref","first-page":"319","DOI":"10.1145\/24039.24041","volume":"9","author":"J Ferrante","year":"1987","unstructured":"Ferrante, J., Ottenstein, K. J., & Warren, J. D. (1987). The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS), 9(3), 319\u2013349. doi: 10.1145\/24039.24041 .","journal-title":"ACM Transactions on Programming Languages and Systems (TOPLAS)"},{"key":"9274_CR15","unstructured":"Frei, S., Tellenbach, B., & Plattner, B. (2008). 0-day Patch: Exposing vendors (in) security performance. Black Hat Europe. http:\/\/www.techzoom.net\/papers\/blackhat 0\u00a0day Patch 2008.pdf. Accessed 10 Aug 2013."},{"key":"9274_CR16","unstructured":"GNU Cflow (2013) http:\/\/www.gnu.org\/software\/cflow\/manual\/cflow.html . Accessed 2 Aug 2013."},{"issue":"1","key":"9274_CR17","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1145\/77606.77608","volume":"12","author":"S Horwitz","year":"1990","unstructured":"Horwitz, S., Reps, T., & Binkley, D. (1990). Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 12(1), 26\u201360. doi: 10.1145\/77606.77608 .","journal-title":"ACM Transactions on Programming Languages and Systems (TOPLAS)"},{"key":"9274_CR18","unstructured":"Howard, M., Pincus, J., & Wing, J. (2005). Measuring relative attack surfaces. Computer Security in the 21st Century (pp. 109\u2013137). Springer. ISBN 0-387-24005-5, 0-387-24006-3. http:\/\/www.link.springer.com\/chapter\/10.1007\/0-387-24006-3_8 ."},{"key":"9274_CR19","unstructured":"Imperva, a provider of cyber and data security products (2012). http:\/\/www.imperva.com\/docs\/HII_Web_Application_Attack_Report_Ed3.pdf . Accesses 19 Apr 2014."},{"key":"9274_CR20","doi-asserted-by":"crossref","unstructured":"Jansen, W. (2009). Directions in Security Metrics Research. NIST. http:\/\/www.csrc.nist.gov\/publications\/nistir\/ir7564\/nistir-7564_metrics-research.pdf . Accessed 15 March 2013.","DOI":"10.6028\/NIST.IR.7564"},{"key":"9274_CR21","unstructured":"Joh, H., & Malaiya, Y. K. (2011). Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: The 2011 international conference on security and management (SAM\u201911) (pp. 10\u201316)."},{"issue":"12","key":"9274_CR22","doi-asserted-by":"crossref","first-page":"1293","DOI":"10.1109\/T-C.1972.223501","volume":"100","author":"DJ Kuck","year":"1972","unstructured":"Kuck, D. J., Muraoka, Y., & Chen, S. (1972). On the number of operations simultaneously executable in fortran-like programs and their resulting speedup. The IEEE Transactions on Computers, 100(12), 1293\u20131310. doi: 10.1109\/T-C.1972.223501 .","journal-title":"The IEEE Transactions on Computers"},{"issue":"3","key":"9274_CR23","doi-asserted-by":"crossref","first-page":"371","DOI":"10.1109\/TSE.2010.60","volume":"37","author":"PK Manadhata","year":"2011","unstructured":"Manadhata, P. K., & Wing, J. M. (2011). An attack surface metric. The IEEE Transactions on Software Engineering, 37(3), 371\u2013386. doi: 10.1109\/TSE.2010.60 .","journal-title":"The IEEE Transactions on Software Engineering"},{"key":"9274_CR24","doi-asserted-by":"crossref","unstructured":"Manadhata, P. K, Wing, J., Flynn M., & McQueen, M. (2006). Measuring the attack surfaces of two FTP daemons. In: Proceedings of the 2nd ACM workshop on quality of protection (QoP\u201906) (pp. 3\u201310). doi: 10.1145\/1179494.1179497 .","DOI":"10.1145\/1179494.1179497"},{"issue":"1","key":"9274_CR25","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1145\/504909.504911","volume":"5","author":"B Massimo","year":"2002","unstructured":"Massimo, B., Gabrielli, E., & Mancini, L. (2002). Remus: A security-enhanced operating system. ACM Transactions on Information and System Security (TISSEC), 5(1), 36\u201361. doi: 10.1145\/504909.504911 .","journal-title":"ACM Transactions on Information and System Security (TISSEC)"},{"key":"9274_CR26","unstructured":"Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the common vulnerability scoring system version 2.0. Published by FIRST-Forum of Incident Response and Security Teams (pp. 1\u201323). http:\/\/www.first.org\/cvss\/cvss-guide.pdf . Accessed 15 Mar 2013."},{"key":"9274_CR27","unstructured":"Metasploit Database. (2014). http:\/\/www.metasploit.com\/ . Accessed 27 March 2014."},{"key":"9274_CR28","unstructured":"National Vulnerability Database. (2013). http:\/\/www.nvd.nist.gov\/ . Accessed 2 Aug 2013."},{"key":"9274_CR29","unstructured":"OSVDB: Open Sourced Vulnerability Database. (2014). http:\/\/www.osvdb.org\/ . Accessed 19 Feb 2014."},{"key":"9274_CR30","volume-title":"Security in computing","author":"CP Pfleeger","year":"2006","unstructured":"Pfleeger, C. P., & Pfleeger, S. L. (2006). Security in computing. New Jersey: Prentice Hall PTR."},{"key":"9274_CR31","unstructured":"Ponemon Institute. (2013). 2013 Cost of data breach study: Global analysis. Benchmark research sponsored by Symantec, Independently Conducted by Ponemon Institute. https:\/\/www4.symantec.com\/mktginfo\/whitepaper\/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf . Accessed 10 Mar 2013."},{"key":"9274_CR32","unstructured":"Red Hat Bugzilla Main Page. (2014). https:\/\/bugzilla.redhat.com\/ . Accessed 2 Mar 2014."},{"key":"9274_CR33","unstructured":"Scientific Toolworks Understand. (2014). http:\/\/www.scitools.com\/ . Accessed 22 Mar 2014."},{"key":"9274_CR34","unstructured":"SecurityFocus. (2015). http:\/\/www.securityfocus.com\/archive\/1 . Accessed 2 Mar 2015."},{"key":"9274_CR35","unstructured":"Silberschatz, A., Galvin, P. B., & Gagne, G. (2009). Operating system concepts. Wiley."},{"key":"9274_CR36","unstructured":"Skape. (2007). Improving software security analysis using exploitation properties. Uninformed. http:\/\/www.uninformed.org\/?o=about . Accessed 29 Mar 2014."},{"key":"9274_CR37","doi-asserted-by":"crossref","unstructured":"Sparks, S., Embleton, S., Cunningham, R., & Zou, C. (2007). Automated vulnerability analysis: Leveraging control flow for evolutionary input crafting. In: Computer Security Applications Conference (ACSAC 2007) (pp. 477\u2013486). doi: 10.1109\/ACSAC.2007.27 .","DOI":"10.1109\/ACSAC.2007.27"},{"key":"9274_CR38","unstructured":"Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. NIST. http:\/\/www.security-science.com\/pdf\/risk-management-guide-for-information-technology-systems.pdf . Accessed 23 Mar 2013."},{"key":"9274_CR39","unstructured":"The Exploits Database. (2013). http:\/\/www.exploit-db.com\/ . Accessed 7 Aug 2013."},{"key":"9274_CR40","unstructured":"Usage Statistics and Market Share of Web Servers for Websites. (2013). http:\/\/www.w3techs.com\/technologies\/overview\/web_server\/all . Accessed 2 Aug 2013."},{"key":"9274_CR41","unstructured":"Younis, A. A., & Malaiya,Y. K. (2012). Relationship between attack surface and vulnerability density: A case study on apache HTTP server. In: The 2012 international conference on internet computing (ICOMP\u201912) (pp. 197\u2013203)."}],"container-title":["Software Quality Journal"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11219-015-9274-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s11219-015-9274-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11219-015-9274-6","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,1]],"date-time":"2019-06-01T06:10:42Z","timestamp":1559369442000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s11219-015-9274-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,3,27]]},"references-count":41,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2016,3]]}},"alternative-id":["9274"],"URL":"https:\/\/doi.org\/10.1007\/s11219-015-9274-6","relation":{},"ISSN":["0963-9314","1573-1367"],"issn-type":[{"value":"0963-9314","type":"print"},{"value":"1573-1367","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,3,27]]}}}