An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems

Abstract

This paper will bring computing theory and security operations into conversation to answer the question how many undiscovered vulnerabilities are there in a piece of software? The answers to this question influence how both theoretical computer science and security operations should behave. The answer the papers arguments support is that there are always more undiscovered vulnerabilities in any modern deployed software. We will also provide some possible directions for economic and research reactions to this situation. Eminent security writers such as Dan Geer [13] and Bruce Schneier [24] have weighed in on these questions. Both reach similar conclusions very differently worded. Geer states I believe that vulns are scarce enough for [cornering the global vulnerability market] to work whereas Schneier states But while vulnerabilities are plentiful, theyre not uniformly distributed. [P]ractices that eliminate many easy-to-find ones greatly improve software security. Dale Peterson and Josh Corman state that vulnerabilities are dense in medical devices, and mostly want to get on to discussing what to do about it [20].

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Feb 25, 2022
Accession Number
AD1161246

Entities

People

  • Jonathan M. Spring

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber
  • Engineered Resilient Systems

DTIC Thesaurus Topics

  • Automata
  • Central Processing Units
  • Computations
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computers
  • Cybersecurity
  • Department Of Defense
  • Detection
  • Engineering
  • Information Systems
  • Intrusion Detectors
  • Numbers
  • Rational Numbers
  • Software Design
  • Software Development
  • Theoretical Computer Science
  • Word Processors

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Educational Psychology
  • Military History