Are vulnerabilities discovered and resolved like other defects?

Patrick J. Morrison, Rahul Pandita, Xusheng Xiao, Ram Chillarege, Laurie Williams

Research output: Contribution to journalArticlepeer-review

36 Scopus citations

Abstract

Software defect data has long been used to drive software development process improvement. If security defects (vulnerabilities) are discovered and resolved by different software development practices than non-security defects, the knowledge of that distinction could be applied to drive process improvement. The goal of this research is to support technical leaders in making security-specific software development process improvements by analyzing the differences between the discovery and resolution of defects versus that of vulnerabilities. We extend Orthogonal Defect Classification (ODC), a scheme for classifying software defects to support software development process improvement, to study process-related differences between vulnerabilities and defects, creating ODC + Vulnerabilities (ODC + V). We applied ODC + V to classify 583 vulnerabilities and 583 defects across 133 releases of three open-source projects (Firefox, phpMyAdmin, and Chrome). Compared with defects, vulnerabilities are found later in the development cycle and are more likely to be resolved through changes to conditional logic. In Firefox, vulnerabilities are resolved 33% more quickly than defects. From a process improvement perspective, these results indicate opportunities may exist for more efficient vulnerability detection and resolution.

Original languageEnglish (US)
Pages (from-to)1383-1421
Number of pages39
JournalEmpirical Software Engineering
Volume23
Issue number3
DOIs
StatePublished - Jun 1 2018
Externally publishedYes

Keywords

  • Measurement
  • Orthogonal Defect Classification (ODC)
  • Process improvement
  • Security
  • Software development

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'Are vulnerabilities discovered and resolved like other defects?'. Together they form a unique fingerprint.

Cite this