Software Vulnerability Assessment: Vendor, Scanner, and User Analysis

Given the complexity of existing software stacking on top of each other, many vulnerabilities are just waiting to be discovered. Certain vulnerabilities can lead to severe exploitation and loss. In this paper, we try to understand how safely we, as users, are against potential exploitations due to known vulnerabilities found in commonly used software. First, we assess the capability of current vulnerability scanners to detect known vulnerabilities. In our analysis, we use 6 months of the real vulnerability scanning log. Surprisingly, our analysis shows that the existing vulnerability scanners could take at least 2,999 days to discover 90% of the known vulnerabilities and 50% of the high-severity-level vulnerabilities could take 3,328 days to be discovered. Then, we evaluate the effectiveness of existing software vendors’ patching mechanisms by measuring how long the computing devices were exposed before being patched. Our investigation suggests where we should improve to lower the risk of exploitations.