Effect of static analysis tools on software security: preliminary investigation
Proceedings of the 2007 ACM workshop on Quality of protection
Improving vulnerability discovery models
Proceedings of the 2007 ACM workshop on Quality of protection
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Toward Non-security Failures as a Predictor of Security Faults and Failures
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
The life and death of statically detected vulnerabilities: An empirical study
Information and Software Technology
Vulnerability analysis for a quantitative security evaluation
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Security of open source web applications
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Information security economics - and beyond
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Security of economics information
AIKED'10 Proceedings of the 9th WSEAS international conference on Artificial intelligence, knowledge engineering and data bases
Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox
Proceedings of the 6th International Workshop on Security Measurements and Metrics
The beauty and the beast: vulnerabilities in red hat’s packages
USENIX'09 Proceedings of the 2009 conference on USENIX Annual technical conference
Using hypervisors to secure commodity operating systems
Proceedings of the fifth ACM workshop on Scalable trusted computing
Proceedings of the 26th Annual Computer Security Applications Conference
Paranoid Android: versatile protection for smartphones
Proceedings of the 26th Annual Computer Security Applications Conference
Is open source security a myth?
Communications of the ACM
After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Idea: java vs. PHP: security implications of language choice for web applications
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
An historical examination of open source releases and their vulnerabilities
Proceedings of the 2012 ACM conference on Computer and communications security
Before we knew it: an empirical study of zero-day attacks in the real world
Proceedings of the 2012 ACM conference on Computer and communications security
A case study of cross-system porting in forked projects
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Security economics: a personal perspective
Proceedings of the 28th Annual Computer Security Applications Conference
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
An empirical study of vulnerability rewards programs
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.02 |
We examine the code base of the OpenBSD operating system to determine whether its security is increasing over time. We measure the rate at which new code has been introduced and the rate at which vulnerabilities have been reported over the last 7.5 years and fifteen versions. We learn that 61% of the lines of code in today's OpenBSD are foundational: they were introduced prior to the release of the initial version we studied and have not been altered since. We also learn that 62% of reported vulnerabilities were present when the study began and can also be considered to be foundational. We find strong statistical evidence of a decrease in the rate at which foundational vulnerabilities are being reported. However, this decrease is anything but brisk: foundational vulnerabilities have a median lifetime of at least 2.6 years. Finally, we examined the density of vulnerabilities in the code that was altered/introduced in each version. The densities ranged from 0 to 0.033 vulnerabilities reported per thousand lines of code. These densities will increase as more vulnerabilities are reported.