In this article, we investigate a fundamental question regarding software security: Is the security of SW releases increasing over time? We approach this question with a detailed analysis of the large body of open-source software packaged in the popular Debian GNU/Linux distribution. Contrary to common intuition, we find no clear evidence that the vulnerability rate of widely used software decreases over time: Even in popular and “stable” releases, the fixing of bugs does not seem to reduce the rate of newly identified vulnerabilities. The intuitive conclusion is worrisome: Commonly employed development and validation procedures do not seem to scale with the increase of features and complexity—they are only chopping pieces off the top of an iceberg of vulnerabilities. To the best of our knowledge, this is the first investigation into the problem that studies a complete distribution of software, spanning multiple versions. Although we can not give a definitive answer, we show that several popular beliefs also cannot be confirmed given our dataset. We publish our Debian Vulnerability Analysis Framework (DVAF) , an automated dataset creation and analysis process, to enable reproduction and further analysis of our results. Overall, we hope our contributions provide important insights into the vulnerability discovery process and help in identifying effective techniques for vulnerability analysis and prevention.

中文翻译：

---

冰山一角

在本文中，我们研究了一个关于软件安全的基本问题：软件版本的安全性是否会随着时间的推移而增加？我们通过详细分析打包在流行的 Debian GNU/Linux 发行版中的大量开源软件来解决这个问题。与普遍的直觉相反，我们没有发现明确证据表明广泛使用的软件的漏洞率会随着时间的推移而降低：即使在流行且“稳定”的版本中，修复错误似乎也不会降低新发现漏洞的比率。直观的结论令人担忧：常用的开发和验证程序似乎并没有随着功能和复杂性的增加而扩展——它们只是从漏洞的冰山顶部切下碎片。据我们所知，这是对研究跨多个版本的完整软件分布问题的首次调查。虽然我们不能给出肯定的答案，我们表明，鉴于我们的数据集，一些流行的信念也无法得到证实。我们发布我们的Debian 漏洞分析框架 (DVAF)，一个自动化的数据集创建和分析过程，可以复制和进一步分析我们的结果。总体而言，我们希望我们的贡献能够为漏洞发现过程提供重要见解，并有助于确定用于漏洞分析和预防的有效技术。