Detecting the 1%: Growing the Science of Vulnerability Discovery
Daily news reports reveal the increasingly sophisticated security breaches that threaten our national security, our cyber infrastructure, our health, our finances, and democracy itself. Vulnerabilities enable these breaches. Yet, our studies and those of other researchers indicate that detected vulnerabilities are rare events, appearing in about 1-4% of software files. Protecting the American people and the American way of life, as outlined in the 2017 U.S. National Security Strategy, necessitates that organizations detect the 1% of files that contain exploitable vulnerabilities so that they can be remediated. Proactive security review and test efforts are necessary components of the software development life cycle. Resource limitations often preclude reviewing and testing the entire code base. Making informed decisions on what code to review can improve a team’s ability to find and remove more exploitable vulnerabilities. Therefore, engineers looking to prioritize security inspection and testing efforts may be better served by vulnerability-based detection techniques and tools, and effective prediction models. This talk will present an overview of extensive research of vulnerabilities and vulnerability discovery.