Towards a Unifying Approach in Understanding Security Problems

To evaluate security in the context of software reliability engineering, it is necessary to analyse security problems, actual exploits, and their relationship with an understanding of the operational behaviour of the system. That can be done in terms of the effort involved in security exploits, through classic reliability factors such as calendar and inservice time, etc. Existing studies focus primarily on security problems and security exploits. Less attention has been given to the study of the relationship between security problems and security exploits. We present an analysis and classification of 43,710 vulnerabilities from the Open Source National Vulnerability Database and vulnerabilities for two specific products - Bugzilla and FEDORA. About 35% of the published vulnerabilities have been exploited. 34% of the vulnerabilities are disclosed as a result of an exploit and only 1.3% have been exploited after being publicly disclosed. We investigate a unifying approach, to understand security as a component of reliability. We focus on the disclosure and exploits of security problems with respect to calendar time and inservice time, and the impact of such exploits on the process of correcting the security problems, and discuss our approach using the collected data.