Abstract

Software vulnerabilities present a major threat to businesses and individuals alike and it is therefore critical that a culture exists among software engineers to encourage the discovery and patching of security flaws. Vulnerability counts are a common way of evaluating a project’s security. However, this metric can run counter to building a developer culture of fault recognition if more vulnerabilities is always seen as a bad thing. While these counts can present a rough idea of a project’s history with security, they provide no insight into how the development team improves and learns as a result of a vulnerability. A mature project with a long history of process improvement after a vulnerability may be seen as more dangerous to use compared to another project with no history of process improvement but few vulnerabilities. This dissertation presents new metrics that evaluate a project’s security processes based on the repetition of vulnerabilities that we call Vulnerability Recidivism. These metrics aim to both promote vulnerability discovery and process revision after a vulnerability has been patched. The goal of this dissertation is to enable developers and stakeholders to evaluate their security processes and security posture. This goal is furthered by three core areas of study: 1) an evaluation of current recidivism measurements from current tools and practices, 2) a systematic literature review of how repeated vulnerabilities are covered in published research, and 3) an empirical evaluation of recidivism metrics in comparison to existing software metrics with measurements from 1,213 open-source projects. These new Vulnerability Recidivism metrics allow for the development culture to move closer to that of championing process improvement and recognition of errors.

Publication Date

4-2026

Document Type

Dissertation

Student Type

Graduate

Degree Name

Computing and Information Sciences (Ph.D.)

Department, Program, or Center

Computing and Information Sciences Ph.D, Department of

College

Golisano College of Computing and Information Sciences

Advisor

Andrew Meneely

Advisor/Committee Member

Xueling Zhang

Advisor/Committee Member

Rajendra Raj

Campus

RIT Kosovo

Download

Share

COinS