Back to Search Start Over

Are vulnerabilities discovered and resolved like other defects?

Authors :
Morrison, Patrick J.
Pandita, Rahul
Xiao, Xusheng
Chillarege, Ram
Williams, Laurie
Source :
Empirical Software Engineering; Jun2018, Vol. 23 Issue 3, p1383-1421, 39p
Publication Year :
2018

Abstract

Software defect data has long been used to drive software development process improvement. If security defects (vulnerabilities) are discovered and resolved by different software development practices than non-security defects, the knowledge of that distinction could be applied to drive process improvement. The goal of this research is to support technical leaders in making security-specific software development process improvements by analyzing the differences between the discovery and resolution of defects versus that of vulnerabilities. We extend Orthogonal Defect Classification (ODC), a scheme for classifying software defects to support software development process improvement, to study process-related differences between vulnerabilities and defects, creating ODC + Vulnerabilities (ODC + V). We applied ODC + V to classify 583 vulnerabilities and 583 defects across 133 releases of three open-source projects (Firefox, phpMyAdmin, and Chrome). Compared with defects, vulnerabilities are found later in the development cycle and are more likely to be resolved through changes to conditional logic. In Firefox, vulnerabilities are resolved 33% more quickly than defects. From a process improvement perspective, these results indicate opportunities may exist for more efficient vulnerability detection and resolution. [ABSTRACT FROM AUTHOR]

Details

Language :
English
ISSN :
13823256
Volume :
23
Issue :
3
Database :
Complementary Index
Journal :
Empirical Software Engineering
Publication Type :
Academic Journal
Accession number :
129856016
Full Text :
https://doi.org/10.1007/s10664-017-9541-1