A comprehensive study on security bug characteristics. Issue 10 (2nd September 2021)
- Record Type:
- Journal Article
- Title:
- A comprehensive study on security bug characteristics. Issue 10 (2nd September 2021)
- Main Title:
- A comprehensive study on security bug characteristics
- Authors:
- Wei, Ying
Sun, Xiaobing
Bo, Lili
Cao, Sicong
Xia, Xin
Li, Bin - Abstract:
- Abstract: Security bugs can catastrophically impact our increasingly digital lives. Designing effective tools for detecting and fixing software security bugs requires a deep understanding of security bug characteristics. In this paper, we conducted a comprehensive study on security bugs and proposed the classification criteria for security bug category, that is, root cause, consequence, and location. In addition, we selected 1076 bug reports from five projects (i.e., Apache Tomcat, Apache HTTP Server, Mozilla Firefox, Linux Kernel, and Eclipse) in the NVD for investigation. Finally, we investigated the correlation between the classification results and obtained some findings: (1) memory operation is the most common security bug; (2) the primary root causes of security bugs are CON (Configuration Error), INP (Input Validation Error), and MEM (Memory Error); (3) the severity of more than 40% of security bugs is high; (4) security bugs caused by INP mainly occur on web; and (5) security bugs caused by LOG (Logic Resource Error) usually lead to DoS (Denial of Service). We discussed these findings through data analysis, which can also help developers better understand the characteristics of security bugs. Abstract : From the figure above, we can find that data leakage is the main consequence of authentication restriction and data encryption security bugs. In addition, memory operation is the most common security bug, but its project imbalance means that the proportion ofAbstract: Security bugs can catastrophically impact our increasingly digital lives. Designing effective tools for detecting and fixing software security bugs requires a deep understanding of security bug characteristics. In this paper, we conducted a comprehensive study on security bugs and proposed the classification criteria for security bug category, that is, root cause, consequence, and location. In addition, we selected 1076 bug reports from five projects (i.e., Apache Tomcat, Apache HTTP Server, Mozilla Firefox, Linux Kernel, and Eclipse) in the NVD for investigation. Finally, we investigated the correlation between the classification results and obtained some findings: (1) memory operation is the most common security bug; (2) the primary root causes of security bugs are CON (Configuration Error), INP (Input Validation Error), and MEM (Memory Error); (3) the severity of more than 40% of security bugs is high; (4) security bugs caused by INP mainly occur on web; and (5) security bugs caused by LOG (Logic Resource Error) usually lead to DoS (Denial of Service). We discussed these findings through data analysis, which can also help developers better understand the characteristics of security bugs. Abstract : From the figure above, we can find that data leakage is the main consequence of authentication restriction and data encryption security bugs. In addition, memory operation is the most common security bug, but its project imbalance means that the proportion of vulnerability types in the project may be closely related to its programming language. Among the security bugs caused by CON (Configuration Error), most of the authentication restriction bugs occurred on the web. … (more)
- Is Part Of:
- Journal of software. Volume 33:Issue 10(2021)
- Journal:
- Journal of software
- Issue:
- Volume 33:Issue 10(2021)
- Issue Display:
- Volume 33, Issue 10 (2021)
- Year:
- 2021
- Volume:
- 33
- Issue:
- 10
- Issue Sort Value:
- 2021-0033-0010-0000
- Page Start:
- n/a
- Page End:
- n/a
- Publication Date:
- 2021-09-02
- Subjects:
- bug characteristics -- empirical study -- security bugs
Software engineering -- Periodicals
Computer software -- Development -- Periodicals
Software maintenance -- Periodicals
005.1 - Journal URLs:
- http://onlinelibrary.wiley.com/journal/10.1002/(ISSN)2047-7481 ↗
http://onlinelibrary.wiley.com/ ↗ - DOI:
- 10.1002/smr.2376 ↗
- Languages:
- English
- ISSNs:
- 2047-7473
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 19333.xml