The Software Vulnerability Ecosystem: Software Development In The Context Of Adversarial Behavior

Software vulnerabilities are the root cause of many computer system security fail- ures. This dissertation addresses software vulnerabilities in the context of a software lifecycle, with a particular focus on three stages: (1) improving software quality dur- ing development; (2) pre- release bug discovery and repair; and (3) revising software as vulnerabilities are found. The question I pose regarding software quality during development is whether long-standing software engineering principles and practices such as code reuse help or hurt with respect to vulnerabilities. Using a novel data-driven analysis of large databases of vulnerabilities, I show the surprising result that software quality and software security are distinct. Most notably, the analysis uncovered a counterintu- itive phenomenon, namely that newly introduced software enjoys a period with no vulnerability discoveries, and further that this “Honeymoon Effect” (a term I coined) is well-explained by the unfamiliarity of the code to malicious actors. An important consequence for code reuse, intended to raise software quality, is that protections inherent in delays in vulnerability discovery from new code are reduced. The second question I pose is the predictive power of this effect. My experimental design exploited a large-scale open source software system, Mozilla Firefox, in which two development methodologies are pursued in parallel, making that the sole variable in outcomes. Comparing the methodologies using a novel synthesis of data from vulnerability databases, These results suggest that the rapid-release cycles used in agile software development (in which new software is introduced frequently) have a vulnerability discovery rate equivalent to conventional development. Finally, I pose the question of the relationship between the intrinsic security of software, stemming from design and development, and the ecosystem into which the software is embedded and in which it operates. I use the early development lifecycle to examine this question, and again use vulnerability data as the means of answering it. Defect discovery rates should decrease in a purely intrinsic model, with software maturity making vulnerabilities increasingly rare. The data, which show that vulnerability rates increase after a delay, contradict this. Software security therefore must be modeled including extrinsic factors, thus comprising an ecosystem

The Federal Information Security Management Act of 2002: A Potemkin Village

Due to the daunting possibilities of cyberwarfare, and the ease with which cyberattacks may be conducted, the United Nations has warned that the next world war could be initiated through worldwide cyberattacks between countries. In response to the growing threat of cyberwarfare and the increasing importance of information security, Congress passed the Federal Information Security Management Act of 2002 (FISMA). FISMA recognizes the importance of information security to the national economic and security interests of the United States. However, this Note argues that FISMA has failed to significantly bolster information security, primarily because FISMA treats information security as a technological problem and not an economic problem. This Note analyzes existing proposals to incentivize heightened software quality assurance, and proposes a new solution designed to strengthen federal information security in light of the failings of FISMA and the trappings of Congress’s 2001 amendment to the Computer Fraud and Abuse Act

A Comprehensive Framework for Patching and Vulnerability Management in Enterprises

As patching and vulnerability management have become a larger part of an organization's routine, its need for proper integration and complexity toward systems has increased. Threat actors continuously seek to develop and perform attacks exploiting vulnerabilities within systems, meaning organizations face the challenge of timely implementing patches to protect their assets. The master's thesis aims at gathering extensive information regarding patching and vulnerability management by integrating a semi-systematic literature review (SSLR), a semi-structured qualitative interview process, and our sense-making. These research methods collect insights from the existing theory and professionals' opinions. The SSLR allowed for gathering relevant studies and sense-making, which were subsequently utilized in developing a conceptual model depicting the vital processes and procedures of patching and vulnerability management based on the theory. As such, the conceptual model was showcased within the semi-structured qualitative interviews, which allowed for unbounded discussions regarding the practices, implementations, and expert input toward the conceptual framework and its improvement areas. The interviews and selection of interviewees allowed for several viewpoints and a wide perspective. Subsequently, after synthesizing the findings from the interviews and additionally gathered theory, the comprehensive framework, which aims to refine and extend the conceptual framework, was developed. The comprehensive framework aims at depicting the enterprises' collective patching and vulnerability management process, along with the intersection of the existing theory. Correspondingly, the framework could be utilized by enterprises to either improve their processes or for enterprises to implement absent processes. The findings highlight a major diversity in the implementation and execution of patching and vulnerability management. Larger companies tend to have more mature processes and employ more automation within their collection of vulnerability information and deployment of patches. Conversely, smaller companies lack the resources allocated to perform needed tasks, which results in a less organized and effective process. The research findings subsidize the existing research gap related to a lack of frameworks depicting the interrelation between patching and vulnerability management and how enterprises currently perform these processes. Additionally, it provides a substantially valuable resource for practitioners, researchers, and enterprises wishing to improve their processes based on an exploratory study assessing the existing literature, experts' opinions, and the design of the conceptual and comprehensive framework. As the comprehensive framework aims to provide a generalized approach and implementation, it can be employed by different-sized businesses while tailored to their needs