Software reliability: measurement, prediction, application
Software reliability: measurement, prediction, application
The mythical man-month (anniversary ed.)
The mythical man-month (anniversary ed.)
A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
IEEE Transactions on Software Engineering
An empirical study of operating systems errors
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
Modeling the Vulnerability Discovery Process
ISSRE '05 Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering
The Security Development Lifecycle
The Security Development Lifecycle
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
N-variant systems: a secretless framework for security through diversity
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Software Reliability Status and Perspectives
IEEE Transactions on Software Engineering
Improving vulnerability discovery models
Proceedings of the 2007 ACM workshop on Quality of protection
A few billion lines of code later: using static analysis to find bugs in the real world
Communications of the ACM
Security Econometrics: The Dynamics of (In)Security
Security Econometrics: The Dynamics of (In)Security
Post-release reliability growth in software products
ACM Transactions on Software Engineering and Methodology (TOSEM)
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
A large scale exploratory analysis of software vulnerability life cycles
Proceedings of the 34th International Conference on Software Engineering
An historical examination of open source releases and their vulnerabilities
Proceedings of the 2012 ACM conference on Computer and communications security
Hi-index | 0.01 |
Work on security vulnerabilities in software has primarily focused on three points in the software life-cycle: (1) finding and removing software defects, (2) patching or hardening software after vulnerabilities have been discovered, and (3) measuring the rate of vulnerability exploitation. This paper examines an earlier period in the software vulnerability life-cycle, starting from the release date of a version through to the disclosure of the fourth vulnerability, with a particular focus on the time from release until the very first disclosed vulnerability. Analysis of software vulnerability data, including up to a decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as software quality. This leads us to the observation that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects. We show that the length of the period after the release of a software product (or version) and before the discovery of the first vulnerability (the 'Honeymoon' period) is primarily a function of familiarity with the system. In addition, we demonstrate that legacy code resulting from code re-use is a major contributor to both the rate of vulnerability discovery and the numbers of vulnerabilities found; this has significant implications for software engineering principles and practice.