Software vulnerability mitigation as a proper subset of software maintenance

Abstract

Through the rise of the Internet and Web-based software our computing environment has evolved from well-defined topologies into loosely organized, unbounded topologies where user profiles and intentions are largely unknown. With less than 20 years experience in this chaotic computing environment, software developers and maintenance professionals are still learning efficient and systematic means of locating faults and code vulnerabilities that can be exploited by malicious users. Exponential growth in software intrusions, attacks, and security incidents has been observed worldwide. The question that arises, however, is whether software security considerations are genuinely new issues, or can they be addressed using existing definitions, technologies, and tools. That is, can we portray software vulnerabilities, especially specific instances of exploitable code, as software faults so that systematic software maintenance practices can be applied? In this paper we present a longitudinal analysis of software vulnerabilities in a widely used file-transfer program, by examining 12 years of maintenance records documenting perfective, corrective, and adaptive changes to the software suite. Our analysis of the program's software faults and vulnerabilities indicate that they are not distinct categories, but rather two overlapping sets that should not be addressed separately. An in-depth analysis of two dominant security flaws shows that they are canonical software faults that can lead to failure even in the absence of malicious user behavior. Our longitudinal analysis demonstrates that every security vulnerability in the program suite could have been eliminated prior to release via proactive software maintenance engineering. Copyright © 2005 John Wiley & Sons, Ltd.