DeepAI AI Chat
Log In Sign Up

An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems

04/18/2023
by   Jonathan M. Spring, et al.
0

Vulnerability management strategy, from both organizational and public policy perspectives, hinges on an understanding of the supply of undiscovered vulnerabilities. If the number of undiscovered vulnerabilities is small enough, then a reasonable investment strategy would be to focus on finding and removing the remaining undiscovered vulnerabilities. If the number of undiscovered vulnerabilities is and will continue to be large, then a better investment strategy would be to focus on quick patch dissemination and engineering resilient systems. This paper examines a paradigm, namely that the number of undiscovered vulnerabilities is manageably small, through the lens of mathematical concepts from the theory of computing. From this perspective, we find little support for the paradigm of limited undiscovered vulnerabilities. We then briefly support the notion that these theory-based conclusions are relevant to practical computers in use today. We find no reason to believe undiscovered vulnerabilities are not essentially unlimited in practice and we examine the possible economic impacts should this be the case. Based on our analysis, we recommend vulnerability management strategy adopts an approach favoring quick patch dissemination and engineering resilient systems, while continuing good software engineering practices to reduce (but never eliminate) vulnerabilities in information systems.

READ FULL TEXT

page 1

page 2

page 3

page 4

03/19/2022

An Exploratory Study into Vulnerability Chaining Blindness Terminology and Viability

To tie together the concepts of linkage blindness and the inability to l...
05/28/2020

The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL

Context: The Heartbleed vulnerability brought OpenSSL to international a...
12/11/2022

Understanding Concurrency Vulnerabilities in Linux Kernel

While there is a large body of work on analyzing concurrency related sof...
06/24/2020

Exploring the Security Awareness of the Python and JavaScript Open Source Communities

Software security is undoubtedly a major concern in today's software eng...
12/07/2020

Vulnerability Forecasting: In theory and practice

Why wait for zero-days when you could predict them in advance? It is pos...
07/24/2020

A Case Study on Software Vulnerability Coordination

Context: Coordination is a fundamental tenet of software engineering. Co...