Software Vulnerability and Application Security Risk

Software Vulnerability and Application Security Risk

Jianping Peng, Meiwen Guo, Jing Quan
Copyright: © 2019 |Pages: 10
DOI: 10.4018/IRMJ.2019010103
(Individual Articles)
No Current Special Offers


This research investigates the software vendor-based relationships between software vulnerability and application security risk. The data is obtained from the China National Vulnerability Database of Information Security (CNNVD). At first, we use the latent class model to classify the software vendors into three categories, and then employ regression models to estimate relationships between software vulnerability and application security risk for each of the three categories of the software vendors. The results show the relationships vary across the software vendors. The findings suggest that an IT vendor should learn specific vulnerability features according to its type to effectively avoid vulnerability generation on their products.
Article Preview

1. Introduction

In spite of advances in software testing and quality assurance (Lewis, 2016), it is impossible to completely avoid security vulnerabilities in software product, due to the high degree of the complexity of software development. In fact, software vulnerabilities are growing steadily in recent years. Software security vulnerability is one of the important causes for software quality risks. Moreover, the security breaches often result in monetary losses (Jerman-Blažič, 2008).

One of the reasons for the rise of software vulnerabilities is the high cost for bug hunting and vulnerability discovery. Another reason is due to the externality of software products, which allows software vendors to take no direct responsibility for the losses caused by security risks. As a result, software vendors have little incentives for improving the safety of their software products (Byung, 2009).

To encourage software vendors to actively reduce software security vulnerabilities and improve the overall software quality, many countries have taken steps to build national software security vulnerability databases (Wu and Zhang, 2012). The databases will register any verified vulnerability in a vendor's software product and record will be published in the public domain to remind users of the security issue. In the meantime, the vendor is urged to publish software patches to fix the security vulnerability and reduce the risks of software applications. In theory, software vendors can learn from this process and improve the overall quality of their products. But in reality, little research has been done on how to investigate of the learning process.

This research aims to fill the gap by focusing the relationship between the type of software vendors and vulnerability features. Based on the data from the China National Vulnerability Database of Information Security (CNNVD), we attempt to answer the following three research questions:

  • RQ1: What is the best classification of vendors in CNNVD?

  • RQ2: What are vital vulnerability features influencing risks of different vendors’ software products?

  • RQ3: What is the learning mechanism for different software vendors for reducing the risks in their software applications?


2. Literature Review

Software vulnerability is one of the important reasons for poor security. Software vulnerability analysis mainly covers fundamental research on the generation, discovery, utilization, management, and reduction of vulnerabilities. The focus of the current vulnerability research is on the study of vulnerability classification, dynamic and static analysis of code vulnerability, rules and standards of vulnerability, and vulnerabilities fixing (Wu, 2009). Software security vulnerabilities are usually caused by design defects in system. For example, a vulnerability may be generated due to a design flaw of failing to detect the size of the data buffer, which leads to a memory stack overflow and forces the computer to execute the codes supplied by the attacker (Kuperman, Brodley, Ozdoganoglu, Vijaykumar, and Jalote, 2005). From a different angel, Syed, Rahafrooz & Keisler (2018) study how social media attends software vulnerability information. They argue that a higher volume of retweets of vulnerabilities is an indication of public attention to such information. They ran a negative binomial regression to predict retweet count based on tweet content categories, source, and technical features of tweets as well as the features of software vulnerabilities.

Complete Article List

Search this Journal:
Volume 37: 1 Issue (2024): Forthcoming, Available for Pre-Order
Volume 36: 1 Issue (2023)
Volume 35: 4 Issues (2022): 3 Released, 1 Forthcoming
Volume 34: 4 Issues (2021)
Volume 33: 4 Issues (2020)
Volume 32: 4 Issues (2019)
Volume 31: 4 Issues (2018)
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing