Article Preview
Top1. Introduction
In spite of advances in software testing and quality assurance (Lewis, 2016), it is impossible to completely avoid security vulnerabilities in software product, due to the high degree of the complexity of software development. In fact, software vulnerabilities are growing steadily in recent years. Software security vulnerability is one of the important causes for software quality risks. Moreover, the security breaches often result in monetary losses (Jerman-Blažič, 2008).
One of the reasons for the rise of software vulnerabilities is the high cost for bug hunting and vulnerability discovery. Another reason is due to the externality of software products, which allows software vendors to take no direct responsibility for the losses caused by security risks. As a result, software vendors have little incentives for improving the safety of their software products (Byung, 2009).
To encourage software vendors to actively reduce software security vulnerabilities and improve the overall software quality, many countries have taken steps to build national software security vulnerability databases (Wu and Zhang, 2012). The databases will register any verified vulnerability in a vendor's software product and record will be published in the public domain to remind users of the security issue. In the meantime, the vendor is urged to publish software patches to fix the security vulnerability and reduce the risks of software applications. In theory, software vendors can learn from this process and improve the overall quality of their products. But in reality, little research has been done on how to investigate of the learning process.
This research aims to fill the gap by focusing the relationship between the type of software vendors and vulnerability features. Based on the data from the China National Vulnerability Database of Information Security (CNNVD), we attempt to answer the following three research questions:
RQ1: What is the best classification of vendors in CNNVD?
RQ2: What are vital vulnerability features influencing risks of different vendors’ software products?
RQ3: What is the learning mechanism for different software vendors for reducing the risks in their software applications?
Top2. Literature Review
Software vulnerability is one of the important reasons for poor security. Software vulnerability analysis mainly covers fundamental research on the generation, discovery, utilization, management, and reduction of vulnerabilities. The focus of the current vulnerability research is on the study of vulnerability classification, dynamic and static analysis of code vulnerability, rules and standards of vulnerability, and vulnerabilities fixing (Wu, 2009). Software security vulnerabilities are usually caused by design defects in system. For example, a vulnerability may be generated due to a design flaw of failing to detect the size of the data buffer, which leads to a memory stack overflow and forces the computer to execute the codes supplied by the attacker (Kuperman, Brodley, Ozdoganoglu, Vijaykumar, and Jalote, 2005). From a different angel, Syed, Rahafrooz & Keisler (2018) study how social media attends software vulnerability information. They argue that a higher volume of retweets of vulnerabilities is an indication of public attention to such information. They ran a negative binomial regression to predict retweet count based on tweet content categories, source, and technical features of tweets as well as the features of software vulnerabilities.