Software Engineering Institute

Software vulnerabilities are defects or weaknesses in a software system that if exploited can lead to compromise of the control of a system or the information it contains. The problem of vulnerabilities in fielded software is pervasive and serious. In 2012, Software Engineering Institute (SEI) researchers began investigating vulnerabilities reported to the SEI's CERT Division and determined that a large number of significant and pernicious software vulnerabilities likely had their origins early in the software development life cycle, in the requirements and design phases.

A research project was launched to investigate design-related vulnerabilities and quantify their effects. The Data-Driven Software Assurance project examined the origins of design vulnerabilities, their mitigations, and the resulting economic implications. Stage 1 of the project included three phases: 1) conduct of a mapping study and literature review, 2) conduct of detailed vulnerability analyses, and 3) development of an initial economic model.

The results of Stage 1 indicate that a broader initial focus on secure design yields substantial benefits to both the developer and operational communities and point to ways to intervene in the software development life cycle (or operations) to mitigate vulnerabilities and their impacts. This report describes Stage 1 activities and outlines plans for follow-on work in Stage 2.