18,586 research outputs found
Estimating ToE Risk Level using CVSS
Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time
An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications
This paper examines software vulnerabilities in common Python packages used
particularly for web development. The empirical dataset is based on the PyPI
package repository and the so-called Safety DB used to track vulnerabilities in
selected packages within the repository. The methodological approach builds on
a release-based time series analysis of the conditional probabilities for the
releases of the packages to be vulnerable. According to the results, many of
the Python vulnerabilities observed seem to be only modestly severe; input
validation and cross-site scripting have been the most typical vulnerabilities.
In terms of the time series analysis based on the release histories, only the
recent past is observed to be relevant for statistical predictions; the
classical Markov property holds.Comment: Forthcoming in: Proceedings of the 9th International Workshop on
Empirical Software Engineering in Practice (IWESEP 2018), Nara, IEE
A decision support system for corporations cyber security risk management
This thesis presents a decision aiding system named C3-SEC (Contex-aware Corporative
Cyber Security), developed in the context of a master program at Polytechnic Institute of
Leiria, Portugal. The research dimension and the corresponding software development
process that followed are presented and validated with an application scenario and case study
performed at Universidad de las Fuerzas Armadas ESPE – Ecuador.
C3-SEC is a decision aiding software intended to support cyber risks and cyber threats
analysis of a corporative information and communications technological infrastructure. The
resulting software product will help corporations Chief Information Security Officers
(CISO) on cyber security risk analysis, decision-making and prevention measures for the
infrastructure and information assets protection.
The work is initially focused on the evaluation of the most popular and relevant tools
available for risk assessment and decision making in the cyber security domain. Their
properties, metrics and strategies are studied and their support for cyber security risk
analysis, decision-making and prevention is assessed for the protection of organization's
information assets.
A contribution for cyber security experts decision support is then proposed by the means of
reuse and integration of existing tools and C3-SEC software. C3-SEC extends existing tools
features from the data collection and data analysis (perception) level to a full context-ware
reference model.
The software developed makes use of semantic level, ontology-based knowledge
representation and inference supported by widely adopted standards, as well as cyber
security standards (CVE, CPE, CVSS, etc.) and cyber security information data sources
made available by international authorities, to share and exchange information in this
domain. C3-SEC development follows a context-aware systems reference model addressing
the perception, comprehension, projection and decision/action layers to create corporative
scale cyber security situation awareness
Setting Annual Catch Limits for U.S. Fisheries: An Expert Working Group Report
Provides guidance on the application of annual catch limits for U.S. fisheries based on the recommendations of a working group of national and international fisheries experts
Towards a Catalogue of Reusable Security Requirements, Vulnerabilities and Threats
Organizations are giving more importance to secure their systems due to the increasing number of cyber-attacks and inherent complexity. The aim of our work is help organizations plan and consider these security concerns from the very beginning, since the requirements and design phases, and not just later in the implementation or deployment phases. Consider security-by-design and security-by-default principles are good approaches to avoid rework costs or to mitigate security flaws. However, there is not yet a suitable approach to specify security requirements in a rigorous and systematic way. In this paper we propose an approach that allows the definition and specification of security-specific concerns like security requirements but also vulnerabilities, risks or threats. We discuss this approach based on two key parts: First, we introduce the RSLingo RSL language, that is a rigorous requirements specification language, and discuss how it is extended to support such security-specific concepts. Second, we claim the relevance for a catalogue of reusable security-specific specifications and then we show concrete examples of defining and using such specifications. The proposed catalogue can be easily used and extended by the community and involves currently 52 goals, 12 vulnerabilities and 31 risks; these concerns are defined into 9 packages each one representing a distinct asset
- …