Abstract
Computer security professionals and researchers do not have a history of
sharing and analyzing computer vulnerablility information. Scientists and
engineers from older or more established fields have long understood that
publicizing, analyzing, and learning from other people's mistakes is essential
to the stepwize refinement of complex systems. Computer scientists, however,
have not followed suit. Programmers reinvent classical programming mistakes,
contributing to the reappearance of known vulnerabilities.
In the recent past, computer systems have come to be a part of critical systems
that have a direct effect on the safety and well-being of human beings and
hence we must have lower tolerance for software failures.
In the dissertation I will attempt to show that computer vulnerability information
presents important regularities and these can be detected, and possibly visualized,
providing important insight about the reason of their prevalence and existence.
The information derived from these observations could be used to improve on all
phases of the development of software systems, as could be in the design,
development, debugging, testing and maintenance of complex computer systems that
must implement a set of policies defined by security analysis.
A significant portion of the work that must be performed will concentrate on the
development of classifications and taxonomies that will permit the visualizations
and analysis of computer vulnerability information. I hope that these classifications
and taxonomies applied to a collection of vulnerabilities will provide a set of
features whose analysis will show that there are clear statistical clusterings and
patterns caused because developers and programmers are not learning from each
others mistakes. This analysis may be performed by applying statistical analysis
and knowledge discovery tools.