We examine the code base of the OpenBSD operating system to determine whether its security is increasing over time. We measure the rate at which new code has been introduced and the rate at which vulnerabilities have been reported over the last 7.5 years and fifteen versions.
We learn that 61% of the lines of code in today's OpenBSD are foundational: they were introduced prior to the release of the initial version we studied and have not been altered since. We also learn that 62% of reported vulnerabilities were present when the study began and can also be considered to be foundational. We find strong statistical evidence of a decrease in the rate at which foundational vulnerabilities are being reported. However, this decrease is anything but brisk: foundational vulnerabilities have a median lifetime of at least 2.6 years.
Finally, we examined the density of vulnerabilities in the code that was altered/introduced in each version. The densities ranged from 0 to 0.033 vulnerabilities reported per thousand lines of code. These densities will increase as more vulnerabilities are reported.
[1]
Andy Ozment,et al.
Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models
,
2006,
Quality of Protection.
[2]
A. Ozment,et al.
Bug Auctions: Vulnerability Markets Reconsidered
,
2004
.
[3]
Bev Littlewood,et al.
Evaluation of competing software reliability predictions
,
1986,
IEEE Transactions on Software Engineering.
[4]
Eric Rescorla,et al.
Is finding security holes a good idea?
,
2005,
IEEE Security & Privacy.
[5]
L. J. Camp.
Pricing Security
,
2000
.
[6]
Stuart E. Schechter,et al.
Quantitatively Differentiating System Security
,
2002
.
[7]
Jeff Tian,et al.
Integrating Time Domain and Input Domain Analyses of Software Reliability Using Tree-Based Models
,
1995,
IEEE Trans. Software Eng..
[8]
Les Hatton,et al.
Reexamining the Fault Density-Component Size Connection
,
1997,
IEEE Softw..
[9]
Karthik N. Kannan,et al.
An Economic Analysis of Market for Software Vulnerabilities
,
2004
.