NASA Logo

NTRS

NTRS - NASA Technical Reports Server

Back to Results
Security Vulnerability Profiles of Mission Critical Software: Empirical Analysis of Security Related Bug ReportsWhile some prior research work exists on characteristics of software faults (i.e., bugs) and failures, very little work has been published on analysis of software applications vulnerabilities. This paper aims to contribute towards filling that gap by presenting an empirical investigation of application vulnerabilities. The results are based on data extracted from issue tracking systems of two NASA missions. These data were organized in three datasets: Ground mission IVV issues, Flight mission IVV issues, and Flight mission Developers issues. In each dataset, we identified security related software bugs and classified them in specific vulnerability classes. Then, we created the security vulnerability profiles, i.e., determined where and when the security vulnerabilities were introduced and what were the dominating vulnerabilities classes. Our main findings include: (1) In IVV issues datasets the majority of vulnerabilities were code related and were introduced in the Implementation phase. (2) For all datasets, around 90 of the vulnerabilities were located in two to four subsystems. (3) Out of 21 primary classes, five dominated: Exception Management, Memory Access, Other, Risky Values, and Unused Entities. Together, they contributed from 80 to 90 of vulnerabilities in each dataset.
Document ID
20170010339
Acquisition Source
Goddard Space Flight Center
Document Type
Conference Paper
Authors
Goseva-Popstojanova, Katerina
(West Virginia Univ. Morgantown, WV, United States)
Tyo, Jacob
(West Virginia Univ. Morgantown, WV, United States)
Date Acquired
October 26, 2017
Publication Date
October 23, 2017
Subject Category
Computer Programming And Software
Report/Patent Number
GSFC-E-DAA-TN42524
Meeting Information
Meeting: IEEE International Symposium on Software Reliability Engineering
Location: Toulouse
Country: France
Start Date: October 23, 2017
End Date: October 26, 2017
Sponsors: Institute of Electrical and Electronics Engineers
Funding Number(s)
CONTRACT_GRANT: NNG12SA03C
Distribution Limits
Public
Copyright
Public Use Permitted.
No Preview Available