Relationship between Attack Surface and Vulnerability Density: A Case Study on Apache HTTP Server

Software Security metrics are quantitative measures related to a software system’s level of trustworthiness. They can be used to aid in resource allocation, program planning, risk assessment, and product and service selection. Recently researchers have proposed several software security metrics. Among these are attack surface and vulnerability density. The attack surface measure has been used by a few major software companies, such as Microsoft, Hewlett-Packard, and SAP. The vulnerability density measure has been applied by some researchers to Windows and Linux family of operating systems, in addition to some web servers and browsers. Despite their promise, establishing the validity of software security metrics remains a key challenge. A single security metric may be unable to measure all aspects of security and hence the use of multiple metrics may be needed in some situations. To assess the applicability of the metrics quantifying individual as well as multiple aspects of security, we explore the relationship between the attack surface and vulnerability density metrics. For this examination, the source code and vulnerabilities data of two releases of Apache HTTP Server have been examined. While the results show that the attack surface and vulnerability density are related, further investigations are needed to develop methods that combine them.