Dive Brief:

• Researchers at New York University, MIT’s Lincoln Laboratory and Northeastern University are purposely adding bugs to software in order to improve bug detection, according to a Network World report.
• The researchers are inserting a specific number of synthetic bugs into software and then watching to see which ones are located by bug-finding tools and which evade detection.
• The tools tested thus far have effectively detected software bugs only 2% of the time.

Dive Insight:

Many organizations struggle to detect active threats or flaws in their systems, leading to potential vulnerabilities down the line. As technology continues to evolve, new and more innovative detection methods are proving necessary to ensure security and guarantee functionality. 

The researchers created the synthetic vulnerabilities with a method called large-scale automated vulnerability addition (LAVA).

"The only way to evaluate a bug finder is to control the number of bugs in a program, which is exactly what we do with LAVA," Brendan Dolan-Gavitt, a computer science and engineering professor at NYU’s Tandon School of Engineering, told Network World.

Not only did the tools find far too few bugs, researchers said, they also regularly detected bugs that did not exist. In studying the bugs that are not detected, the researchers hope to help companies create more effective tools to catch bugs. The group recently released a paper on their findings.