Foundational bugs in software

Gullible Jones · Nov 2, 2013

A rather interesting research paper, from quite a while ago:

http://research.microsoft.com/pubs/79177/milkorwine.pdf

Over a period of 7.5 years and fifteen releases, 62% of the
140 vulnerabilities reported in OpenBSD were founda-
tional: present in the code at the beginning of the study.
It took more than two and a half years for the first half of
these foundational vulnerabilities to be reported.
Click to expand...

If this applies to other operating systems, maybe it lends some credence to the idea that from-scratch rewrites of components are sometimes needed. Further justification for e.g Wayland, perhaps? I'd be interested to know what those of you with more schooling in statistics have to say.

Also, an interesting tidbit:

When calculated per thousand lines of code, rather
than per million, the density of all reported vulnerabil-
ities ranged from 0–0.033 and averaged 0.00657. As
noted above, some software engineers estimate the de-
fect density of well-written code to be 3–6 per thousand
lines of code [5]; these vulnerability densities are three
orders of magnitude less than that amount. The two fig-
ures are not necessarily contradictory: defects include
both vulnerabilities and bugs that are not vulnerabilities.
Click to expand...

If OpenBSD has a "good" bug density, that means vulnerabilities account for well under 1% of reported bugs. I wonder if that is typical.

Log in or Sign up

Foundational bugs in software

Gullible Jones Registered Member

Log in or Sign up

Foundational bugs in software

Gullible Jones Registered Member

Useful Searches