TY - JOUR
T1 - Are vulnerabilities discovered and resolved like other defects?
AU - Morrison, Patrick J.
AU - Pandita, Rahul
AU - Xiao, Xusheng
AU - Chillarege, Ram
AU - Williams, Laurie
N1 - Publisher Copyright:
© 2017, Springer Science+Business Media, LLC.
PY - 2018/6/1
Y1 - 2018/6/1
N2 - Software defect data has long been used to drive software development process improvement. If security defects (vulnerabilities) are discovered and resolved by different software development practices than non-security defects, the knowledge of that distinction could be applied to drive process improvement. The goal of this research is to support technical leaders in making security-specific software development process improvements by analyzing the differences between the discovery and resolution of defects versus that of vulnerabilities. We extend Orthogonal Defect Classification (ODC), a scheme for classifying software defects to support software development process improvement, to study process-related differences between vulnerabilities and defects, creating ODC + Vulnerabilities (ODC + V). We applied ODC + V to classify 583 vulnerabilities and 583 defects across 133 releases of three open-source projects (Firefox, phpMyAdmin, and Chrome). Compared with defects, vulnerabilities are found later in the development cycle and are more likely to be resolved through changes to conditional logic. In Firefox, vulnerabilities are resolved 33% more quickly than defects. From a process improvement perspective, these results indicate opportunities may exist for more efficient vulnerability detection and resolution.
AB - Software defect data has long been used to drive software development process improvement. If security defects (vulnerabilities) are discovered and resolved by different software development practices than non-security defects, the knowledge of that distinction could be applied to drive process improvement. The goal of this research is to support technical leaders in making security-specific software development process improvements by analyzing the differences between the discovery and resolution of defects versus that of vulnerabilities. We extend Orthogonal Defect Classification (ODC), a scheme for classifying software defects to support software development process improvement, to study process-related differences between vulnerabilities and defects, creating ODC + Vulnerabilities (ODC + V). We applied ODC + V to classify 583 vulnerabilities and 583 defects across 133 releases of three open-source projects (Firefox, phpMyAdmin, and Chrome). Compared with defects, vulnerabilities are found later in the development cycle and are more likely to be resolved through changes to conditional logic. In Firefox, vulnerabilities are resolved 33% more quickly than defects. From a process improvement perspective, these results indicate opportunities may exist for more efficient vulnerability detection and resolution.
KW - Measurement
KW - Orthogonal Defect Classification (ODC)
KW - Process improvement
KW - Security
KW - Software development
UR - http://www.scopus.com/inward/record.url?scp=85029590820&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85029590820&partnerID=8YFLogxK
U2 - 10.1007/s10664-017-9541-1
DO - 10.1007/s10664-017-9541-1
M3 - Article
AN - SCOPUS:85029590820
SN - 1382-3256
VL - 23
SP - 1383
EP - 1421
JO - Empirical Software Engineering
JF - Empirical Software Engineering
IS - 3
ER -