The Mathematics of Infectious Diseases
SIAM Review
Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Modeling the Vulnerability Discovery Process
ISSRE '05 Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering
The Security Development Lifecycle
The Security Development Lifecycle
Data Mining Static Code Attributes to Learn Defect Predictors
IEEE Transactions on Software Engineering
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Predicting Defects for Eclipse
PROMISE '07 Proceedings of the Third International Workshop on Predictor Models in Software Engineering
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Comparing design and code metrics for software quality prediction
Proceedings of the 4th international workshop on Predictor models in software engineering
An empirical model to predict security vulnerabilities using code complexity metrics
Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement
Is complexity really the enemy of software security?
Proceedings of the 4th ACM workshop on Quality of protection
Predicting Attack-prone Components
ICST '09 Proceedings of the 2009 International Conference on Software Testing Verification and Validation
Fair and balanced?: bias in bug-fix datasets
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Predicting defects with program dependencies
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities
Journal of Systems Architecture: the EUROMICRO Journal
An idea of an independent validation of vulnerability discovery models
ESSoS'12 Proceedings of the 4th international conference on Engineering Secure Software and Systems
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Towards automatic software lineage inference
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
We study the interplay in the evolution of Firefox source code and known vulnerabilities in Firefox over six major versions (v1.0, v1.5, v2.0, v3.0, v3.5, and v3.6) spanning almost ten years of development, and integrating a numbers of sources (NVD, CVE, MFSA, Firefox CVS). We conclude that a large fraction of vulnerabilities apply to code that is no longer maintained in older versions. We call these after-life vulnerabilities. This complements the Milk-or-Wine study of Ozment and Schechter--which we also partly confirm--as we look at vulnerabilities in the reference frame of the source code, revealing a vulnerabilitiy's future, while they looked at its past history. Through an analysis of that code's market share, we also conclude that vulnerable code is still very much in use both in terms of instances and as global codebase: CVS evidence suggests that Firefox evolves relatively slowly. This is empirical evidence that the software-evolution-assecurity solution--patching software and automatic updates--might not work, and that vulnerabilities will have to be mitigated by other means.