6,238 research outputs found
Recommended from our members
A Large-Scale Study of Modern Code Review and Security in Open Source Projects.
The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities
In spite of the growing importance of software security and the industry
demand for more cyber security expertise in the workforce, the effect of
security education and experience on the ability to assess complex software
security problems has only been recently investigated. As proxy for the full
range of software security skills, we considered the problem of assessing the
severity of software vulnerabilities by means of a structured analysis
methodology widely used in industry (i.e. the Common Vulnerability Scoring
System (\CVSS) v3), and designed a study to compare how accurately individuals
with background in information technology but different professional experience
and education in cyber security are able to assess the severity of software
vulnerabilities. Our results provide some structural insights into the complex
relationship between education or experience of assessors and the quality of
their assessments. In particular we find that individual characteristics matter
more than professional experience or formal education; apparently it is the
\emph{combination} of skills that one owns (including the actual knowledge of
the system under study), rather than the specialization or the years of
experience, to influence more the assessment quality. Similarly, we find that
the overall advantage given by professional expertise significantly depends on
the composition of the individual security skills as well as on the available
information.Comment: Presented at the Workshop on the Economics of Information Security
(WEIS 2018), Innsbruck, Austria, June 201
Recommended from our members
Evaluating the resilience and security of boundaryless, evolving socio-technical Systems of Systems
Collaborative Application Security Testing for DevSecOps: An Empirical Analysis of Challenges, Best Practices and Tool Support
DevSecOps is a software development paradigm that places a high emphasis on
the culture of collaboration between developers (Dev), security (Sec) and
operations (Ops) teams to deliver secure software continuously and rapidly.
Adopting this paradigm effectively, therefore, requires an understanding of the
challenges, best practices and available solutions for collaboration among
these functional teams. However, collaborative aspects related to these teams
have received very little empirical attention in the DevSecOps literature.
Hence, we present a study focusing on a key security activity, Application
Security Testing (AST), in which practitioners face difficulties performing
collaborative work in a DevSecOps environment. Our study made novel use of 48
systematically selected webinars, technical talks and panel discussions as a
data source to qualitatively analyse software practitioner discussions on the
most recent trends and emerging solutions in this highly evolving field. We
find that the lack of features that facilitate collaboration built into the AST
tools themselves is a key tool-related challenge in DevSecOps. In addition, the
lack of clarity related to role definitions, shared goals, and ownership also
hinders Collaborative AST (CoAST). We also captured a range of best practices
for collaboration (e.g., Shift-left security), emerging communication methods
(e.g., ChatOps), and new team structures (e.g., hybrid teams) for CoAST.
Finally, our study identified several requirements for new tool features and
specific gap areas for future research to provide better support for CoAST in
DevSecOps.Comment: Submitted to the Empirical Software Engineering journal_v
Economic Factors of Vulnerability Trade and Exploitation
Cybercrime markets support the development and diffusion of new attack
technologies, vulnerability exploits, and malware. Whereas the revenue streams
of cyber attackers have been studied multiple times in the literature, no
quantitative account currently exists on the economics of attack acquisition
and deployment. Yet, this understanding is critical to characterize the
production of (traded) exploits, the economy that drives it, and its effects on
the overall attack scenario. In this paper we provide an empirical
investigation of the economics of vulnerability exploitation, and the effects
of market factors on likelihood of exploit. Our data is collected
first-handedly from a prominent Russian cybercrime market where the trading of
the most active attack tools reported by the security industry happens. Our
findings reveal that exploits in the underground are priced similarly or above
vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle
of exploits is slower than currently often assumed. On the other hand,
cybercriminals are becoming faster at introducing selected vulnerabilities, and
the market is in clear expansion both in terms of players, traded exploits, and
exploit pricing. We then evaluate the effects of these market variables on
likelihood of attack realization, and find strong evidence of the correlation
between market activity and exploit deployment. We discuss implications on
vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table
Do Bugs Foreshadow Vulnerabilities? A Study of the Chromium Project
As developers face ever-increasing pressure to engineer secure software, researchers are building an understanding of security-sensitive bugs (i.e. vulnerabilities). Research into mining software repositories has greatly increased our understanding of software quality via empirical study of bugs. However, conceptually vulnerabilities are different from bugs: they represent abusive functionality as opposed to wrong or insufficient functionality commonly associated with traditional, non-security bugs. In this study, we performed an in-depth analysis of the Chromium project to empirically examine the relationship between bugs and vulnerabilities. We mined 374,686 bugs and 703 post-release vulnerabilities over five Chromium releases that span six years of development. Using logistic regression analysis, we examined how various categories of pre-release bugs and review experiences (e.g. stability, compatibility, etc.) are associated with post-release vulnerabilities. While we found statistically significant correlations between our metrics and post-release vulnerabilities, we also found the association to be weak. Number of features, SLOC, and number of pre-release security bugs are, in general, more closely associated with post-release vulnerabilities than any of our non-security bug categories. In a separate analysis, we found that the files with highest defect density did not intersect with the files of highest vulnerability density. These results indicate that bugs and vulnerabilities are empirically dissimilar groups, warranting the need for more research targeting vulnerabilities specifically
Measuring the accuracy of software vulnerability assessments: experiments with students and professionals
Assessing the risks of software vulnerabilities is a key process of software development and security management. This assessment requires to consider multiple factors (technical features, operational environment, involved assets, status of the vulnerability lifecycle, etc.) and may depend from the assessor's knowledge and skills. In this work, we tackle with an important part of this problem by measuring the accuracy of technical vulnerability assessments by assessors with dierent level and type of knowledge. We report an experiment to compare how accurately students with dierent technical education and security professionals are able to assess the severity of software vulnerabilities with the Common Vulnerability Scoring System (v3) industry methodology. Our results could be useful for increasing awareness about the intrinsic subtleties of vulnerability risk assessment and possibly better compliance with regulations. With respect to academic education, professional training and human resources selections our work suggests that measuring the effects of knowledge and expertise on the accuracy of software security assessments is feasible albeit not easy
- …