Software security vulnerabilities

Abstract

The security of a company's software products is of paramount importance, of course, and arguably even more important than software reliability and the other key quality attributes. But companies are currently faced with a troublesome dilemma: Supplying customers with more features at greater speeds than in the past has become the norm; high feature velocity, fairly static engineering headcounts, and shorter release cycles are conspiring to threaten both software reliability and security. The work described in this paper is an attempt to baseline and (internally) benchmark the state of our company's software security, and also includes some data regarding the state of software reliability across the company's products. Of particular interest in this study is learning more about the extent of software vulnerabilities emanating from the open source software that we import and use in our commercial products. Prior evidence had been building that suggested that such `third-party software' (TPS) is inherently more vulnerable to security (and reliability) problems. We have examined the software vulnerability occurrences across all the company's software, in the aggregate, and have found that the TPS used in our products, primarily open source software, initially contains more vulnerabilities than internally-produced software. Security and reliability problems, both in terms of bug counts and percentages of total code volume, correlate quite well, and examples of this are also shown, but we cannot rely on this concurrence in our study: Software security on its own has been examined in detail, and while some findings are documented here, many questions remain.