Towards a unifying approach in understanding security problems

To evaluate security in the context of software reliability engineering, it is necessary to analyse security problems, actual exploits, and their relationship with an understand-ing of the operational behaviour of the system. That can be done in terms of the effort involved in security exploits, through classic reliability factors such as calendar and in-service time, etc. Existing studies focus primarily on se-curity problems and security exploits. Less attention has been given to the study of the relationship between secu-rity problems and security exploits. We present an analysis and classification of 43,710 vulnerabilities from the Open Source National Vulnerability Database and vulnerabilities for two specific products- Bugzilla and FEDORA. About 35 % of the published vulnerabilities have been exploited. 34 % of the vulnerabilities are disclosed as a result of an exploit and only 1.3 % have been exploited after being pub-licly disclosed. We investigate a unifying approach, to un-derstand security as a component of reliability. We focus on the disclosure and exploits of security problems with respect to calendar time and inservice time, and the impact of such exploits on the process of correcting the security problems, and discuss our approach using the collected data. 1 Related Work Security problems (or vulnerabilities or faults) and se-curity exploits (or attacks or failures) are a subset of the general category of software faults and failures [25]. Ex-isting studies discuss security problems and exploits from the viewpoints of types of attacks (e.g. [24, 30, 28, 5]), types of security problems (e.g. [22, 9, 32, 33, 23]), secu-rity patches (e.g. [12]), attacker behaviour (e.g. [10, 19, 1]), a developer (e.g. [15, 6]), a system (e.g. [16, 21]), pre-diction (e.g. [27, 2, 4, 3]), policies and qualitative dis-cussions (e.g. [11, 17, 8, 18]), comparison with reliabilit