Article Preview
Top1. Introduction
By virtue of ongoing advances in networking, internet has evolved as a necessity but, the connectivity of computing systems has further raised the software security concerns. Substantial amount of efforts are made every year to detect, publish, and fix security vulnerabilities in software products. With increasing number of vulnerabilities in the system, the numbers of possible security breaches also shows an upward trend. These concerns marked the outset for quantitative modeling of the process of vulnerability discovery. Vulnerability discovery models assist the developers in patch management, optimal resource allocation and assessment of associated security risks.
Software community frequently faces the challenge to update, protect, maintain, and improve the software product. The testing and maintenance of software depends on its development strategy which could be closed source software development (CSSD) or open source software development (OSSD). Owing to the structural differences between open and closed source software, their maintenance and support also varies. (Potdar and Chang, 2004). In open source software the source code is widely available due to which the potential attackers can easily analyze the source code for possible vulnerabilities. However same is not true in case of closed source software. The availability of resources in case of open source software is typically higher than closed source software. Due to these differences, the trend of vulnerability discovery in both these software communities also shows significant differences. All software- be it open or closed-source are inherently insecure and the growing demand of open source software (OSS) in recent years has motivated researchers to identify vulnerability trends in patching strategies as well as on up gradations. Since these attributes show differences when analyzed for open and closed source communities, as a result, the vulnerability trends in both these software communities show deviation in behavior when compared to each other (Raymond, 1999),(Robles, 2004),(Llanos & Castillo, 2012), (Schreyn, 2009), (Schreyn & Kadura, 2009). These trends are captured using quantitative modeling techniques termed as Vulnerability Discovery Models.
Work has been done in the past to perform quantitative characterization of security vulnerabilities and to find potential number of vulnerabilities in a software. Vulnerability Discovery models (VDMs) facilitate the task of resource allocation for security testing, development of security patches and scheduling. VDM assess the probability of risk and help the developer to allocate resources required to handle potential breaches. Estimating the number of vulnerabilities in a system will also support the critical decision of when to stop testing for vulnerabilities in order to release a stable version.
In this paper, we have proposed a new VDM to find the number of vulnerabilities and their distribution with time in a software system by using analytical modeling techniques while enumerating the difference in vulnerability detection patterns for open and closed source software. We have evaluated the applicability and precision levels of existing and proposed VDM on datasets from open source and proprietary or closed source software. The vulnerability detection rate in open and closed source software show some significant differences owing to the differences in strategies followed during their development and testing. The lifecycle of an open and closed source software have differences which in turn affect their vulnerability discovery patterns (Groot, Kugler, Adams & Gousios, 2006), (Llanos & Castillo, 2012).