An Empirical Investigation on Vulnerability for Software Companies

Abstract

This research analyzes software vulnerability information from the perspective of software companies. A total of 13019 vulnerabilities from 136 software companies were collected from a public vulnerability database. A latent class model classifies the companies into three classes based on vulnerability information during a five-year period, and then three class-specific models pinpoint the most significant key features of vulnerabilities for each class. A class I company can reduce vulnerability level if it puts focus on "boundary condition errors," "input validation errors," and "exception handling errors." A class II company needs to emphasize "access validation errors" and "race condition errors." Interestingly, a class III company needs to avoid any potential "origin validation errors," "boundary condition errors," "design errors," and "access validation errors." With these significant key features information, software companies can effectively reduce vulnerability by managing related errors throughout the development and testing process.