A methodology and a platform to measure and assess software windows of vulnerability

Nowadays, it is impossible not to recognize how software solutions have changed the world and the crucial role they play in our daily life. With their quick spread, especially in Cloud and Internet of Things contexts, security risks to which they are exposed have risen as well. Unfortunately, even if a lot of techniques have been realized to protect infrastructures from attackers, they are not enough to achieve truly secure systems. Therefore, since the price to pay for recovering from an outbreak can be enormous, organizations need a way to assess security of products they use. A useful and very overlooked metric that can be considered in this situations is the software window of vulnerability, which is the amount of time a software has been vulnerable to an attack. The main reason why this metric is often neglected is because the information required to compute it are provided by heterogeneous sources, and there is not a standard framework or at least a model that can simplify the task. Hence, the aim of this thesis will be filling this lack, at first by defining a model to evaluate software windows of vulnerability and then by implementing a platform able to compute this metric for software of different systems. Since keeping the approach general is not feasible outside of the theoretical model, the implementation step will necessarily require a system specific choice. Therefore, GNU/Linux systems were selected specifically for two reasons: their recent rise in popularity in the previously mentioned fields and their software management policy (which is based on package managers) that allows to find the data required by the analysis more easily.