2

What fraction of software bugs are security vulnerabilities? Obviously, software bugs can be security vulnerabilities -- but also obviously, many software bugs have little or no security impact. Is there any data (or rules of thumb) on roughly what fraction of software bugs are also security vulnerabilities? Or a rough range of values?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • The catch is that as research progresses, existing non-security bugs can *become* security issues as people figure out how to exploit them. It would be interesting if people did the math though. But while we know how many security vulnerabilities get reported in popular software, we don't know how many *bugs* there are. Nor is there much consensus on what constitutes a *bug* (versus an *undesired feature*). – tylerl Jun 22 '13 at 08:02
  • Depends a lot of programming language, maturity of software, what you count as vulnerability/bug... Many vulnerabilities are configuration errors or mismatches between the user's/admin's mental model and the model the software assumes. – CodesInChaos Jun 22 '13 at 08:02

2 Answers2

4

Well, obviously any estimate is going to fairly hand-wavy, since if we knew the existence of all bugs and could enumerate them, then the bugs probably wouldn't have shipped. So these bug counts are based on bugs found after the fact. Scrutinized software will naturally have proportionally more of its bugs discovered than rarely used software, so our measurement technique is biased.

But here's a post that references Code Complete saying 10-15 bugs per KLOC:

http://amartester.blogspot.com/2007/04/bugs-per-lines-of-code.html

And here's a post right here on SO that estimates security bugs at at a max of .05 security bugs per KLOC:

Average number of exploitable bugs per thousand lines of code?

So one rough estimate to your answer is .05/15 = .003333. It's a fairly small proportion.

Community
  • 1
Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24
0

So how many security flaws are left undiscovered? Flaws in security, unlike other software flaws go noticed until an attacker has shed light upon it. Tomorrow might yield a entirely new attack pattern, and in this new light we find that all of the software that we use is horribly insecure.

... and this has already happened. Aleph one and buffer overflows, finding out that some format string bugs can be exploited, dangling pointers, H.D Moore and DLL hijacking, oah and don't forget about [fill in your favorite attack here].

rook
  • 46,916
  • 10
  • 92
  • 181