Predicting unknown vulnerabilities using software metrics and maturity models'
We face an increasing reliance on software-based services, applications, platforms, and infrastructures to accomplish daily activities. It is possible to introduce vulnerabilities during any software life cycle and these vulnerabilities could lead to security attacks. It is known that as the software complexity increases, discovering a new security vulnerability introduced by subsequent updates and code changes becomes difficult. This can be seen from the rate of new vulnerabilities discovered after a software release. IT Products’ vulnerabilities sometimes remain undiscovered for many years. In this paper, we report our study of IT products’ source codes using software maturity models and the history of vulnerabilities discovered. We use this data to develop a model to predict the number of security vulnerabilities contained in a product, including undiscovered vulnerabilities. Our proposed approach can be used to explore proactive strategies for mitigating the risks due to zero-day vulnerabilities.