Article Preview
Top1. Introduction
Information security is one of the most critical concerns for organizations (Soomro et al., 2016; Toutouh et al., 2018; Muñoz et al., 2013). With the extensive use of information systems and software applications, software vulnerability has become an essential component of information security. Software vulnerability often refers to software coding and implementation defects, leading to malicious exploits of systems and incidents regarding confidentiality, integrity, and availability of data and systems. These defects range from safety-related design errors, coding defects, and operation faults in the software life cycle (Luo et al., 2020).
Software vulnerabilities can present significant risks for the organization; therefore, investigating vulnerability characteristics can be highly valuable in predicting future vulnerabilities (Spanos and Angelis, 2018). In order to manage software vulnerability, public databases were established to collect vulnerability information such as features (errors), descriptions, severity level, root cause, exploitation type, the scope of vulnerabilities, among others. One notable example is the National Vulnerability Database (NVD), established by the National Institute of Standards and Technology of the United States. Since its inception in 1999, NVD has published information about over 150,000 software vulnerabilities affecting numerous software applications (http://www.cnnvd.org.cn/). The rapid growth of software vulnerabilities leads to many critical data breaches, causing substantial reputational and financial losses.
With the availability of software vulnerability information, analysis of this information plays a critical role in preventing and mitigating security exploits. One popular research stream of the literature focuses on vulnerability classification and prediction based on historical data (Zhang et al., 2011; Li et al., 2017; Murtaza et al., 2016; Spanos and Angelis, 2018; Huang et al., 2019). Most research intends to build models to classify vulnerabilities and predict potential new vulnerabilities in software products. For example, Murtaza et al. (2016) investigate the historical patterns of vulnerabilities to predict future vulnerabilities in software applications, utilizing the National Vulnerability Database (NVD) information. The study shows that the same vulnerabilities feature (e.g., buffer errors) may repeatedly occur hundreds of times in a software product. While it is essential to analyze vulnerability characteristics shown in software products or applications from a public or generic perspective, it is also intuitive to investigate this problem at a firm level: can we explore vulnerability features by the software development companies?
This study focuses on software development companies to investigate vulnerability features and characteristics. In fact, from a software company's perspective, reducing vulnerability helps improve its software quality and promotes a reliable and trustworthy reputation. In other words, software companies should be motivated to analyze and manage software vulnerabilities effectively. However, few studies have ever investigated the vulnerability information from a software company's perspective to our best knowledge.