Alexopoulos, Nikolaos ; Habib, Sheikh Mahbub ; Schulz, Steffen ; Mühlhäuser, Max (2020)
The Tip of the Iceberg: On the Merits of Finding Security Bugs.
In: ACM Transactions on Privacy and Security, 24 (1)
doi: 10.1145/3406112
Artikel, Bibliographie
Kurzbeschreibung (Abstract)
In this article, we investigate a fundamental question regarding software security: Is the security of SW releases increasing over time? We approach this question with a detailed analysis of the large body of open-source software packaged in the popular Debian GNU/Linux distribution. Contrary to common intuition, we find no clear evidence that the vulnerability rate of widely used software decreases over time: Even in popular and “stable” releases, the fixing of bugs does not seem to reduce the rate of newly identified vulnerabilities. The intuitive conclusion is worrisome: Commonly employed development and validation procedures do not seem to scale with the increase of features and complexity—they are only chopping pieces off the top of an iceberg of vulnerabilities.To the best of our knowledge, this is the first investigation into the problem that studies a complete distribution of software, spanning multiple versions. Although we can not give a definitive answer, we show that several popular beliefs also cannot be confirmed given our dataset. We publish our Debian Vulnerability Analysis Framework (DVAF), an automated dataset creation and analysis process, to enable reproduction and further analysis of our results. Overall, we hope our contributions provide important insights into the vulnerability discovery process and help in identifying effective techniques for vulnerability analysis and prevention.
| Typ des Eintrags: | Artikel |
|---|---|
| Erschienen: | 2020 |
| Autor(en): | Alexopoulos, Nikolaos ; Habib, Sheikh Mahbub ; Schulz, Steffen ; Mühlhäuser, Max |
| Art des Eintrags: | Bibliographie |
| Titel: | The Tip of the Iceberg: On the Merits of Finding Security Bugs |
| Sprache: | Englisch |
| Publikationsjahr: | September 2020 |
| Ort: | New York, NY, USA |
| Verlag: | Association for Computing Machinery |
| Titel der Zeitschrift, Zeitung oder Schriftenreihe: | ACM Transactions on Privacy and Security |
| Jahrgang/Volume einer Zeitschrift: | 24 |
| (Heft-)Nummer: | 1 |
| Veranstaltungsort: | New York, NY, USA |
| DOI: | 10.1145/3406112 |
| URL / URN: | https://doi.org/10.1145/3406112 |
| Zugehörige Links: | |
| Kurzbeschreibung (Abstract): | In this article, we investigate a fundamental question regarding software security: Is the security of SW releases increasing over time? We approach this question with a detailed analysis of the large body of open-source software packaged in the popular Debian GNU/Linux distribution. Contrary to common intuition, we find no clear evidence that the vulnerability rate of widely used software decreases over time: Even in popular and “stable” releases, the fixing of bugs does not seem to reduce the rate of newly identified vulnerabilities. The intuitive conclusion is worrisome: Commonly employed development and validation procedures do not seem to scale with the increase of features and complexity—they are only chopping pieces off the top of an iceberg of vulnerabilities.To the best of our knowledge, this is the first investigation into the problem that studies a complete distribution of software, spanning multiple versions. Although we can not give a definitive answer, we show that several popular beliefs also cannot be confirmed given our dataset. We publish our Debian Vulnerability Analysis Framework (DVAF), an automated dataset creation and analysis process, to enable reproduction and further analysis of our results. Overall, we hope our contributions provide important insights into the vulnerability discovery process and help in identifying effective techniques for vulnerability analysis and prevention. |
| Freie Schlagworte: | vulnerability discovery rate, Empirical study, debian GNU/Linux |
| Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Telekooperation Profilbereiche Profilbereiche > Cybersicherheit (CYSEC) LOEWE LOEWE > LOEWE-Zentren LOEWE > LOEWE-Zentren > CRISP - Center for Research in Security and Privacy |
| Hinterlegungsdatum: | 12 Okt 2020 09:30 |
| Letzte Änderung: | 12 Okt 2020 09:30 |
| PPN: | |
| Zugehörige Links: | |
| Export: | |
| Suche nach Titel in: | TUfind oder in Google |
 |
Frage zum Eintrag |
Optionen (nur für Redakteure)
 |
Redaktionelle Details anzeigen |
Drucken
Impressum