Abstract
In economic models of cybersecurity, security investment yields positive, but diminishing, returns. If that were true for software vulnerabilities, fix rates should decrease, whereas the time between successive fixes should go up as vulnerabilities become fewer and harder to fix.In this work, we examine the empirical evidence for this hypothesis for Mozilla, Apache httpd and Apache Tomcat over the last several years. By looking at 292 vulnerability reports for Mozilla, 66 for Apache, and 21 for Tomcat, we find that the number of people committing vulnerability fixes changes proportionally to the number of vulnerability fixes for Mozilla and Tomcat, but not for Apache httpd.Our findings do not support the hypothesis that vulnerability fix rates decline. It seems as if the supply of easily fixable vulnerabilities is not running out and returns are not diminishing (yet).Additionally, software security has traditionally been viewed as an arms race between attackers and defenders. Recent work in an unrelated field has produced precise mathematical models for such arms races, but again the evidence we find is scant and does not support the hypothesis of an arms race (of this kind).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The authors use ‘convex’ instead of ‘concave’, and by ‘convex’ they mean “any twice continuously differentiable function”. But unless that function has a negative second derivative, the diminishing returns don’t happen. However, a negative second derivative is a criterion of concavity, not convexity, and two times continuous differentiability is not needed for concavity.
- 2.
- 3.
See comment on changeset 56642:882525a98119.
- 4.
http://httpd.apache.org/security/vulnerabilities_x.html, where x is either 13, 20, 22, or 23.
- 5.
http://tomcat.apache.org/security-x.html, where x is either 5, 6, or 7.
- 6.
Even though a linear regression on the model logdays = loga + blog(checkins + 1) gives excellent p- and R 2-values, we cannot infer from this that the distribution obeys a power law. This is because (1) parameter estimation for power law distributions from linear regression is prone to large systematic biases, (2) the data do not span sufficiently many orders of magnitude for a reliable check, and (3) even with much data, power laws are very hard to distinguish from other heavy-tailed distributions such as the log-normal distribution [5]. Fortunately, the precise nature of the distribution is not important for this work, since we are here concerned with an empirical description and not with forecasting. The problems with estimating power laws with linear regression were brought to our attention by one of the anonymous reviewers.
- 7.
A real function L is slowly varying if for all real c > 0 we have \(\lim _{x\rightarrow \infty }L(\mathit{cx})/L(x) = 1\).
References
Baker, M.J., Eick, S.G.: Visualizing software systems. In: Proceedings of the 16th International Conference on Software Engineering, ICSE’94, Sorrento, pp. 59–67 (1994)
Ball, T., Eick, S.: Software visualization in the large. Computer 29(4), 33–43 (1996)
Bird, C., Bachmann, A., Aune, E., Duffy, J., Bernstein, A., Filkov, V., Devanbu, P.: Fair and balanced? Bias in bug-fix datasets. In: Proceedings of the ESEC/FSE’09, Amsterdam, pp. 121–130 (2009)
Carroll, L.: Through the Looking-Glass. Macmillan and Co, London (1871)
Clauset, A., Shalizi, C.R., Newman, M.E.J.: Power-law distributions in empirical data. SIAM Rev. 51, 661–703 (2009)
de Solla Price, D.J.: Networks of scientific papers. Science 149(3683), 510–515 (1965)
Frei, S.: Security econometrics – the dynamics of (in)security. ETH Zürich, Dissertation 18197, ETH Zurich (2009)
Frei, S., Schatzmann, D., Plattner, B., Trammel, B.: Modelling the security ecosystem – the dynamics of (in)security. In: Anderson, R. (ed.) Workshop on the Economics of Information Security (WEIS), Cambridge (2009)
Johnson, N., Carran, S., Botner, J., Fontaine, K., Laxague, N., Nuetzel, P., Turnley, J., Tivnan, B.: Pattern in escalations in insurgent and terrorist activity. Science 333(6038), 81–84 (2011)
Kim, S., Zimmermann, T., Pan, K., Jr., E.J.W.: Automatic identification of bug introducing changes. In: Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering, Tokyo, pp. 81–90 (2006)
Maillart, T., Sornette, D., Frei, S., Duebendorfer, T., Saichev, A.: Quantification of deviations from rationality with heavy-tails in human dynamics. ArXiv e-prints (2010)
Massacci, F., Nguyen, V.H.: Which is the right source for vulnerability studies? An empirical analysis on Mozilla Firefox. In: Proceedings of the 6th International Workshop on Security Measurements and Metrics, MetriSec’10, Bolzano, pp. 4:1–4:8 (2010)
Massacci, F., Neuhaus, S., Nguyen, V.H.: After-life vulnerabilities: a study on Firefox evolution, its vulnerabilities, and fixes. In: Proceedings of the ESSoS’11, Madrid. Lecture Notes in Computer Science, vol. 6542, pp. 195–208 (2011)
Mozilla Foundation: Mozilla-Announce mailing list. https://lists.mozilla.org/listinfo/announce (2012)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, pp. 529–540 (2007)
Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: Proceedings of the 15th Usenix Security Symposium, Vancouver, pp. 93–104 (2006)
Phipps, G.: Comparing observed bug and productivity rates for Java and C++. Softw. Pract. Exp. 29, 345–358 (1999)
Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. 3(1), 14–19 (2005)
Resnick, S.I.: Heavy tail modeling and teletraffic data. Ann. Stat. 25(8), 1805–1869 (1997)
Rue, R., Pfleeger, S.L.: Making the best use of cybersecurity economic models. IEEE Secur. Priv. 7, 52–60 (2009)
Schryen, G.: Is open source security a myth? What does vulnerability and patch data say? Commun. ACM 54(5), 130–140 (2011)
Słiwerski, J., Zimmermann, T., Zeller, A.: When do changes induce fixes? In: Proceedings of the Second International Workshop on Mining Software Repositories, St. Louis, pp. 24–28 (2005)
Acknowledgements
We thank Sandy Clark, Jonathan M. Smith and Matt Blaze for constructive discussions and for finding reference [9]; Brian Trammell for suggesting the title of this chapter; the Tomcat security team for answering our questions; Christian Holler for information about the Mozilla development process; Dominik Schatzmann for excellent suggestions on early drafts of the chapter; Thomas Maillart for excellent and fruitful discussions and a gentle pointer towards reference [11]; and the anonymous reviewers for raising many excellent points and making helpful suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Neuhaus, S., Plattner, B. (2013). Software Security Economics: Theory, in Practice. In: Böhme, R. (eds) The Economics of Information Security and Privacy. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39498-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-39498-0_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39497-3
Online ISBN: 978-3-642-39498-0
eBook Packages: Computer ScienceComputer Science (R0)