HAVOSS: A Maturity Model for Handling Vulnerabilities in Third Party OSS Components

Security has been recognized as a leading barrier for IoT adoption. The growing number of connected devices and reported software vulnerabilities increases the importance firmware updates. Maturity models for software security do include parts of this, but are lacking in several aspects. This paper presents and evaluates a maturity model (HAVOSS) for handling vulnerabilities in third party OSS and COTS components. The maturity model was designed by first reviewing industry interviews, current best practice guidelines and other maturity models. After that, the practices were refined through industry interviews, resulting in six capability areas covering in total 21 practices. These were then evaluated based on their importance according to industry experts. It is shown that the practices are seen as highly important, indicating that the model can be seen as a valuable tool when assessing strengths and weaknesses in an organization's ability to handle firmware updates

An Approach Toward Implementing Continuous Security In Agile Environment

Traditionally, developers design software to accomplish a set of functions and then later add—or do not add—security measures, especially after the prevalence of the agile software development model. Consequently, there is an increased risk of security vulnerabilities that are introduced into the software in various stages of development. To avoid security vulnerabilities, there are many secure software development efforts in the directions of secure software development lifecycle process. The purpose of this thesis is to propose a software security assurance methodology and integrate it into the Msg Life organization’s development lifecycle based on security best practices that fulfill their needs in building secure software applications. Ultimately, the objective adhered to increasing the security maturity level according to the suggested security assurance roadmap and implemented partly in the context of this thesis.Tradicionalmente, os desenvolvedores projetam o software para realizar um conjunto de funções e, posteriormente, adicionam - ou não - medidas de segurança, especialmente após a prevalência do modelo de desenvolvimento ágil de software. Consequentemente, há um risco aumentado de vulnerabilidades de segurança que são introduzidas no software em vários estágios de desenvolvimento. Para evitar vulnerabilidades de segurança, existem muitos esforços no desenvolvimento de software nas direções dos processos do ciclo de vida desse mesmo software. O objetivo desta tese é propor uma metodologia de garantia de segurança de software e integrá-la ao ciclo de vida de desenvolvimento da Msg Life Company, com base nas melhores práticas de segurança que atendem às suas necessidades na criação de aplicativos de software seguros. Por fim, o objetivo aderiu ao aumento do nível de maturidade da segurança de acordo com o roteiro sugerido de garantia de segurança e implementado parcialmente no contexto desta tese

Improving internal vulnerability scanning and optimal positioning of the vulnerability scanner in the internal network

The art of vulnerability scanning is an integral part of any organization's internal network security, and it cannot be underestimated. It is vital to use a dependable vulnerability scanner and carefully select the most appropriate one for the task. This thesis seeks to gain a profound understanding of Sanoma Media's internal network and subsequently enhance its vulnerability scanning capabilities by first comprehending the different Tenable products. After acquiring a firm understanding of the various products, the Nessus Scanner was chosen based on Sanoma's business requirements. With the scanner in hand, the optimal location for it had to be carefully determined. To achieve this, several scenarios were developed, and a combination of factors from the business, technical, and financial perspectives were used to select the most effective scenario for implementation within the internal network. The implementation of the selected scenario involved meticulous setup of the scanner, from both a hardware and software perspective. This thesis also presents an analysis of the Host Discovery Scan and Basic Network Scan results, alongside a security analysis of the Basic Network Scan. Furthermore, it offers a detailed explanation of the selected scenario, including the parameters that were carefully determined before the implementation process commenced. Finally, the thesis outlines future work that needs to be undertaken, including the challenges that were encountered during the practical portion of the study

"False negative -- that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing

The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify $17$ key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo - challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.Comment: To be published in IEEE Symposium on Security and Privacy 202

Don’t Just Make Redistricters More Accountable to the People, Make Them the People

This thesis investigated the heat transfer of internally oil cooled rotors in permanent magnet electric machines which are, among other things, used in hybrid vehicles or zero emission vehicles. The magnets become sensitive and can be demagnetized at high working temperatures, hence the need of cooling. The scope of this work included CFD simulations in STAR-CCM+. Three different 3D multiphase models simulating the oil propagation in the rotor were performed. A Lagrangian multiphase model combined with a fluid film model was the most suitable model for simulating the spray of the oil and the film thickness along the inner rotor wall. It was noticed that periodic boundaries caused problems for the fluid film model, therefore a complete geometry was preferred over a truncated model. The 3D solutions provided thicker film thicknesses than the analytical solutions from the fluid film thickness theory. The maximum analytical thickness was of the same order of magnitude as the surface average film thickness provided by the multiphase models. This thickness was assumed to be constant when used as the base for the fluid region in the 2D one-phase models.The study showed that aluminum was the most suitable rotor material due to its high conductive capacity, which provided a more even distribution of the temperature in the solid and hence resulted in lower overall temperatures. The cooling power increased linearly with the volumetric flow rate, however the heat transfer coefficient decreased for the higher flow rates. A volumetric flow rate of 10dl/min was recommended. A 2D model was compared to a preliminary experiment and showed that these were not correlated. The conclusion was that more experiments and simulations are needed in order to confirm the validity of the 2D model

Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and inter-company communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer

The Evolution of Legal Risks Pertaining to Patch Management and Vulnerability Management

This article begins with an overview, in non-technical terms, of the tools generally available and processes implemented for vulnerability management and patch management. Section II identifies some of the evolving security standards that regulators and plaintiffs may rely on to show that companies are legally required to have vulnerability management and patch management. Section III identifies U.S. legal implications of vulnerability management and patch management and factors that a court and regulators may consider