On Combining Diverse Static Analysis Tools for Web Security: An Empirical Study

Developers frequently rely on free static analysis tools to automatically detect vulnerabilities in the source code of their applications, but it is well-known that the performance of such tools is limited and varies from one software development scenario to another, both in terms of coverage and false positives. Diversity is an obvious direction to take to improve coverage, as different tools usually report distinct vulnerabilities, but this may come with an increase in the number of false alarms. In this paper,we study the problem of combining diverse static analysis tools to detect web vulnerabilities, considering four software development scenarios with different goals and constraints, ranging from low budget to high-end (e.g., business critical) applications. We conducted an experimental campaign with five free static analysis tools to detect vulnerabilities in a workload composed by 134 WordPress plugins. Results clearly show that the best solution depends on the development scenario. Furthermore, in some cases, a single tool performs better than the best combination of tools

Cyber-security Risk Assessment

Cyber-security domain is inherently dynamic. Not only does system configuration changes frequently (with new releases and patches), but also new attacks and vulnerabilities are regularly discovered. The threat in cyber-security is human, and hence intelligent in nature. The attacker adapts to the situation, target environment, and countermeasures. Attack actions are also driven by attacker's exploratory nature, thought process, motivation, strategy, and preferences. Current security risk assessment is driven by cyber-security expert's theories about this attacker behavior. The goal of this dissertation is to automatically generate the cyber-security risk scenarios by: * Capturing diverse and dispersed cyber-security knowledge * Assuming that there are unknowns in the cyber-security domain, and new knowledge is available frequently * Emulating the attacker's exploratory nature, thought process, motivation, strategy, preferences and his/her interaction with the target environment * Using the cyber-security expert's theories about attacker behavior The proposed framework is designed by using the unique cyber-security domain requirements identified in this dissertation and by overcoming the limitations of current risk scenario generation frameworks. The proposed framework automates the risk scenario generation by using the knowledge as it becomes available (or changes). It supports observing, encoding, validating, and calibrating cyber-security expert's theories. It can also be used for assisting the red-teaming process. The proposed framework generates ranked attack trees and encodes the attacker behavior theories. These can be used for prioritizing vulnerability remediation. The proposed framework is currently being extended for developing an automated threat response framework that can be used to analyze and recommend countermeasures. This framework contains behavior driven countermeasures that uses the attacker behavior theories to lead the attacker away from the system to be protected

A Survey on Automated Software Vulnerability Detection Using Machine Learning and Deep Learning

Software vulnerability detection is critical in software security because it identifies potential bugs in software systems, enabling immediate remediation and mitigation measures to be implemented before they may be exploited. Automatic vulnerability identification is important because it can evaluate large codebases more efficiently than manual code auditing. Many Machine Learning (ML) and Deep Learning (DL) based models for detecting vulnerabilities in source code have been presented in recent years. However, a survey that summarises, classifies, and analyses the application of ML/DL models for vulnerability detection is missing. It may be difficult to discover gaps in existing research and potential for future improvement without a comprehensive survey. This could result in essential areas of research being overlooked or under-represented, leading to a skewed understanding of the state of the art in vulnerability detection. This work address that gap by presenting a systematic survey to characterize various features of ML/DL-based source code level software vulnerability detection approaches via five primary research questions (RQs). Specifically, our RQ1 examines the trend of publications that leverage ML/DL for vulnerability detection, including the evolution of research and the distribution of publication venues. RQ2 describes vulnerability datasets used by existing ML/DL-based models, including their sources, types, and representations, as well as analyses of the embedding techniques used by these approaches. RQ3 explores the model architectures and design assumptions of ML/DL-based vulnerability detection approaches. RQ4 summarises the type and frequency of vulnerabilities that are covered by existing studies. Lastly, RQ5 presents a list of current challenges to be researched and an outline of a potential research roadmap that highlights crucial opportunities for future work

Anomaly Detection Through Container Testing: A Survey of Company Practices

Preprint of the conference paper: Anomaly Detection Through Container Testing: A Survey of Company Practices

"False negative -- that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing

The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify $17$ key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo - challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.Comment: To be published in IEEE Symposium on Security and Privacy 202

Cyber Security of Critical Infrastructures

Critical infrastructures are vital assets for public safety, economic welfare, and the national security of countries. The vulnerabilities of critical infrastructures have increased with the widespread use of information technologies. As Critical National Infrastructures are becoming more vulnerable to cyber-attacks, their protection becomes a significant issue for organizations as well as nations. The risks to continued operations, from failing to upgrade aging infrastructure or not meeting mandated regulatory regimes, are considered highly significant, given the demonstrable impact of such circumstances. Due to the rapid increase of sophisticated cyber threats targeting critical infrastructures with significant destructive effects, the cybersecurity of critical infrastructures has become an agenda item for academics, practitioners, and policy makers. A holistic view which covers technical, policy, human, and behavioural aspects is essential to handle cyber security of critical infrastructures effectively. Moreover, the ability to attribute crimes to criminals is a vital element of avoiding impunity in cyberspace. In this book, both research and practical aspects of cyber security considerations in critical infrastructures are presented. Aligned with the interdisciplinary nature of cyber security, authors from academia, government, and industry have contributed 13 chapters. The issues that are discussed and analysed include cybersecurity training, maturity assessment frameworks, malware analysis techniques, ransomware attacks, security solutions for industrial control systems, and privacy preservation methods

Identifying immersive environments’ most relevant research topics: an instrument to query researchers and practitioners

This paper provides an instrument for ascertaining researchers’ perspectives on the relative relevance of technological challenges facing immersive environments in view of their adoption in learning contexts, along three dimensions: access, content production, and deployment. It described its theoretical grounding and expert-review process, from a set of previously-identified challenges and expert feedback cycles. The paper details the motivation, setup, and methods employed, as well as the issues detected in the cycles and how they were addressed while developing the instrument. As a research instrument, it aims to be employed across diverse communities of research and practice, helping direct research efforts and hence contribute to wider use of immersive environments in learning, and possibly contribute towards the development of news and more adequate systems.The work presented herein has been partially funded under the European H2020 program H2020-ICT-2015, BEACONING project, grant agreement nr. 687676.info:eu-repo/semantics/publishedVersio