Colorado State University
In this paper, the authors examine the feasibility of quantitatively characterizing some aspects of security. In particular, they investigate if it is possible to predict the number of vulnerabilities that can potentially be present in a software system but may not have been found yet. They use several major operating systems as representatives of complex software systems. The data on vulnerabilities discovered in these systems are analyzed. They examine the results to determine if the density of vulnerabilities in a program is a useful measure. They also address the question about what fraction of software defects are security related, i.e., are vulnerabilities.