Studying trends in system vulnerabilities shows some degree of progress, but it is slow. At the same time, we see bugs ranging from user annoyances to major security flaws in much consumer software. How are ordinary bugs and security vulnerabilities related Vulnerability studies show that about two thirds of vulnerabilities are the result of ordinary coding errors, not security-specific flaws. But other studies have found little or no correlation between bugs and later vulnerabilities. How can both lines of research be correct? If most vulnerabilities are caused by regular coding errors, why isn’t there a stronger correlation between the two? In this talk, we’ll show that there really is no conflict, and the explanation points to ways of reducing ordinary errors as well as security flaws.
Associate Editor of IEEE Transactions on Reliability
Computer Security Division
National Institute of Standards and Technology
Gaithersburg, Maryland, USA
Rick Kuhn is a computer scientist in the Computer Security Division of the National Institute of Standards and Technology and is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE). He has authored three books and more than 150 papers on information security, empirical studies of software failure, and combinatorial methods in software testing, and co-developed the role based access control model (RBAC) used worldwide. Before joining NIST, he worked as a software developer with NCR Corporation and the Johns Hopkins University Applied Physics Laboratory. He received an MS in computer science from the University of Maryland College Park.