New Approaches to Software Security Metrics and Measurements

Presenter: Nikolaos Alexopoulos, TU Darmstadt
Date: 09 May 2022


Meaningful metrics and methods for measuring software security would greatly improve the security of software ecosystems. Such means would make security an observable attribute, helping users make informed choices and allowing vendors to 'charge' for it—thus, providing strong incentives for more security investment. In this talk, I will present an overview of the contributions of my dissertation consisting of three empirical measurement studies introducing new approaches to measuring aspects of software security, focusing on Free/Libre and Open Source Software (FLOSS).

For reference, I will talk about work already published as:

[1] Nikolaos Alexopoulos, Sheikh Mahbub Habib, Steffen Schulz, Max Mühlhäuser. "The Tip of the Iceberg: On the Merits of Finding Security Bugs." In ACM Trans. Priv. Secur. 24, 1, Article 3 (February 2021), 2021.

[2] Nikolaos Alexopoulos, Andrew Meneely, Dorian Arnouts, Max Mühlhäuser. "Who are Vulnerability Reporters?: A Large-scale Empirical Study on FLOSS." In ESEM ‘21: ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, Bari, Italy, October 11-15, 2021, 2021.

[3] Nikolaos Alexopoulos, Manuel Brack, Jan Wagner, Tim Grube, Max Mühlhäuser. "How Long Do Vulnerabilities Live in the Code? A Large-Scale Empirical Measurement Study on FOSS Vulnerability Lifetimes." In 31th USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022 (to appear), 2022.