Vulnerability Discovery in Multi-Version Software Systems

The vulnerability discovery process for a program describes the rate at which the security vulnerabilities are discovered. Being able to predict the vulnerability discovery process allows developers to adequately plan for resource allocation needed to develop patches for them. It also enables the users to assess the security risks. Thus there is a need to develop a model of the discovery process that can predict the number of vulnerabilities that are likely to be discovered in a given time frame. Recent studies have produced vulnerability discovery process models that are suitable for a specific version of a software. However, these models may not accurately estimate the vulnerability discovery rates for a software when we consider successive versions, hi this paper, we propose a new approach for quantitatively modeling the vulnerability discovery process, based on shared source code measurements among multi-version software systems. Such a modeling approach can be used for assessing security risk both before and after the release of a version. The applicability of the approach is examined using two open source software systems, viz., Apache HTTP Web server and Mysql DataBase Management System (DBMS). We have examined the relationship between shared code size and shared vulnerabilities between two successive versions. We observe that vulnerabilities continue to be discovered for an older version because part of its code is shared by the newer and more popular later version. Thus, even when the installed base of an older version has declined, vulnerabilities applicable to it are still discovered. Our results are validated using the source code and vulnerability data for two major versions of Apache HTTP Web server and two major versions of Mysql DBMS.