Quantifying the security risk of discovering and exploiting software vulnerabilities

2016 Summer.Includes bibliographical references.Most of the attacks on computer systems and networks are enabled by vulnerabilities in a software. Assessing the security risk associated with those vulnerabilities is important. Risk mod- els such as the Common Vulnerability Scoring System (CVSS), Open Web Application Security Project (OWASP) and Common Weakness Scoring System (CWSS) have been used to qualitatively assess the security risk presented by a vulnerability. CVSS metrics are the de facto standard and its metrics need to be independently evaluated. In this dissertation, we propose using a quantitative approach that uses an actual data, mathematical and statistical modeling, data analysis, and measurement. We have introduced a novel vulnerability discovery model, Folded model, that estimates the risk of vulnerability discovery based on the number of residual vulnerabilities in a given software. In addition to estimating the risk of vulnerabilities discovery of a whole system, this dissertation has furthermore introduced a novel metrics termed time to vulnerability discovery to assess the risk of an individual vulnerability discovery. We also have proposed a novel vulnerability exploitability risk measure termed Structural Severity. It is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. In addition to measurement, this dissertation has also proposed predicting vulnerability exploitability risk using internal software metrics. We have also proposed two approaches for evaluating CVSS Base metrics. Using the availability of exploits, we first have evaluated the performance of the CVSS Exploitability factor and have compared its performance to Microsoft (MS) rating system. The results showed that exploitability metrics of CVSS and MS have a high false positive rate. This finding has motivated us to conduct further investigation. To that end, we have introduced vulnerability reward programs (VRPs) as a novel ground truth to evaluate the CVSS Base scores. The results show that the notable lack of exploits for high severity vulnerabilities may be the result of prioritized fixing of vulnerabilities

Security Analysis and Improvement Model for Web-based Applications

Today the web has become a major conduit for information. As the World Wide Web?s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked, database_server_security_failed) as state space in the Markov Chain. The vulnerable behavior and system response in the web-based applications are analyzed in this dissertation. The analyses focus on functional availability-related aspects: the probability of reaching a particular security failed state and the mean time to the security failure of a system. Vulnerability risk index is classified in three levels as an indicator of the level of security (low level, high level, and failed level). An illustrative application example is provided. As the second objective of this dissertation, I propose a security improvement model for the web-based applications using the GeoIP services in the formal methods. In the security improvement model, web access is authenticated in role-based access control using user logins, remote IP addresses, and physical locations as subject credentials to combine with the requested objects and privilege modes. Access control algorithms are developed for subjects, objects, and access privileges. A secure implementation architecture is presented. In summary, the dissertation has developed security analysis and improvement model for the web-based application. Future work will address Markov Process Model validation when security data collection becomes easy. Security improvement model will be evaluated in performance aspect

DEVELOPMENT STRATEGY AND MANAGEMENT OF AI-BASED VULNERABILITY DETECTION APPLICATIONS IN ENTERPRISE SOFTWARE ENVIRONMENT

Industries are now struggling with high level of security-risk vulnerabilities in their software environment which mainly originate from open-source dependencies. Industries’ percentage of open source in codebases is about 54% whereas ones with high security risks is about 30% (Synopsys 2018). While there are existing solutions for application security analysis, these typically only detect a limited subset of possible errors based on pre-defined rules. With the availability of open-source vulnerability resources, it is now possible to use data-driven techniques to discover vulnerabilities. Although there are a few AI-based solutions available, but there are some associated challenges: 1) use of artificial intelligence for application security (AppSec) towards vulnerability detection has been very limited and definitely not industry oriented, 2) the strategy to develop, use and manage such AppSec products in enterprises have not been investigated; therefore cybersecurity firms do not use even limited existing solutions. In this study, we aim to address these challenges with some strategies to develop such AppSec, their use management and economic values in enterprise environment

Agile Software Development Vulnerabilities and Challenges: An Empirical Study

Since the Agile Software Development (ASD) Manifesto (Fowler & Highsmith, 2001), ASD has offered a disciplined yet lightweight engineering method to better serve organizations’ application needs in today’s fast-evolving and uncertain business environment. According to the latest State of Agile survey (VersionOne, 2018), an overwhelming 97% of responding organizations practice ASD within the organizations. While ASD has become evolutionary, its nature of speedy development and concept of working software has also brought significant challenges in security risk, including vulnerabilities, exploitations, and breaches. One emerging ASD method is Microservices which integrates third-party open-source libraries for rapid, frequent, and efficient delivery of large and complex applications in cloud environments. These open-source libraries represent the breakthroughs to build applications currently and in the future. However, they are the leading causes of Common Vulnerability Exploitation (CVEs). About 76% of applications have at least one open-source vulnerability that turns out to be attack surfaces exploited by hackers (Veracode, 2021). Indeed, every business is eventually a digitally-enabled business, and security breaches are inevitable (McLaughlin & Gogan, 2018). Yet, the literature indicates ASD security research is still nascent. Witnessing and anticipating the significant impact brought by ASD security risks such as Java-based Log4j, this empirical research investigates the key technical and human vulnerabilities and risks in eight major programming languages and the main challenges to implementing security requirements. We also examine the vulnerability and ASD security impact of Work from Home (WFH), which has increased significantly since COVID-19 and is predicted to remain a new way of working. Partnering with a cloud-based SaaS security company with over 2500 worldwide clients, this research collects qualitative data through interviews and quantitative data from a real-time database regarding ASD vulnerabilities. We identify emerging evidence to support best practices for achieving risk control in ASD and recommend remediations to address vulnerabilities comprehensively and in a timely manner. The findings can help organizations develop policies for ASD security management and compliance. In addition, researchers can apply our results to guide future ASD security risk studies in various contexts of emerging technologies

Security Analysis and Improvement Model for Web-based Applications

Today the web has become a major conduit for information. As the World Wide Web?s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked, database_server_security_failed) as state space in the Markov Chain. The vulnerable behavior and system response in the web-based applications are analyzed in this dissertation. The analyses focus on functional availability-related aspects: the probability of reaching a particular security failed state and the mean time to the security failure of a system. Vulnerability risk index is classified in three levels as an indicator of the level of security (low level, high level, and failed level). An illustrative application example is provided. As the second objective of this dissertation, I propose a security improvement model for the web-based applications using the GeoIP services in the formal methods. In the security improvement model, web access is authenticated in role-based access control using user logins, remote IP addresses, and physical locations as subject credentials to combine with the requested objects and privilege modes. Access control algorithms are developed for subjects, objects, and access privileges. A secure implementation architecture is presented. In summary, the dissertation has developed security analysis and improvement model for the web-based application. Future work will address Markov Process Model validation when security data collection becomes easy. Security improvement model will be evaluated in performance aspect

Toward Data-Driven Discovery of Software Vulnerabilities

Over the years, Software Engineering, as a discipline, has recognized the potential for engineers to make mistakes and has incorporated processes to prevent such mistakes from becoming exploitable vulnerabilities. These processes span the spectrum from using unit/integration/fuzz testing, static/dynamic/hybrid analysis, and (automatic) patching to discover instances of vulnerabilities to leveraging data mining and machine learning to collect metrics that characterize attributes indicative of vulnerabilities. Among these processes, metrics have the potential to uncover systemic problems in the product, process, or people that could lead to vulnerabilities being introduced, rather than identifying specific instances of vulnerabilities. The insights from metrics can be used to support developers and managers in making decisions to improve the product, process, and/or people with the goal of engineering secure software. Despite empirical evidence of metrics\u27 association with historical software vulnerabilities, their adoption in the software development industry has been limited. The level of granularity at which the metrics are defined, the high false positive rate from models that use the metrics as explanatory variables, and, more importantly, the difficulty in deriving actionable intelligence from the metrics are often cited as factors that inhibit metrics\u27 adoption in practice. Our research vision is to assist software engineers in building secure software by providing a technique that generates scientific, interpretable, and actionable feedback on security as the software evolves. In this dissertation, we present our approach toward achieving this vision through (1) systematization of vulnerability discovery metrics literature, (2) unsupervised generation of metrics-informed security feedback, and (3) continuous developer-in-the-loop improvement of the feedback. We systematically reviewed the literature to enumerate metrics that have been proposed and/or evaluated to be indicative of vulnerabilities in software and to identify the validation criteria used to assess the decision-informing ability of these metrics. In addition to enumerating the metrics, we implemented a subset of these metrics as containerized microservices. We collected the metric values from six large open-source projects and assessed metrics\u27 generalizability across projects, application domains, and programming languages. We then used an unsupervised approach from literature to compute threshold values for each metric and assessed the thresholds\u27 ability to classify risk from historical vulnerabilities. We used the metrics\u27 values, thresholds, and interpretation to provide developers natural language feedback on security as they contributed changes and used a survey to assess their perception of the feedback. We initiated an open dialogue to gain an insight into their expectations from such feedback. In response to developer comments, we assessed the effectiveness of an existing vulnerability discovery approach—static analysis—and that of vulnerability discovery metrics in identifying risk from vulnerability contributing commits

Penetration Testing of Glia’s Web Application

Läbistustestimine on reaalsete veebirünnakute simulatsioon, et hinnata turvaaukudest tulenevaid potensiaalseid riske. Läbistustestimine nõuab testijalt mitmekülgseid professionaalseid oskusi, et manuaalselt kontrollida turvalisuse nõudeid, teostada veebirakenduse lähtekoodi ülevaatamist ning seadistada automatiseeritud teste. Mittetulundusühing OWASP pakub tarkvara turvalisuse hindamiseks mitmeid dokumente. Glia arendatud operaatori veebirakendust testiti kõigi OWASP Top 10 2017 ohtude suhtes. Ohutegurite kontrollimiseks kasutati OWASP ASVS 4.0 teise taseme nõudeid, mõnel puhul ka kohandatud nõudeid. Lisaks manuaalselt tuvastatavatele turvanõuete kontrollile kasutati ka Burp Suite rakenduse erinevaid automatiseeritud tööriistu. Iga tuvastatud turvaaugu puhul hinnati selle riski taset, võttes arvesse ohu leviku tõenäosust ja mõju veebirakendusele. Kõikidele OWASP Top 10 ohtude kohta anti riskide maandamise soovitusi.Penetration testing is a simulation of real attacks to assess the risks associated with potential security vulnerabilities. Penetration testing requires various levels of expertise to manually verify security requirements, to review web application source code and configure automated tests. Nonprofit organization OWASP provides several documents for software security assessment. Glia’s Operator Application was tested against all OWASP Top 10 2017 threats. For threat verification, OWASP ASVS 4.0 level 2 requirements along with additional customized test cases were checked. In addition to manual security requirement verification, automated Burp Suite tools were used. For each detected vulnerability, risk severity was assessed by taking into account the threat prevalence likelihood and impact. Risk mitigation suggestions were provided to all OWASP Top 10 threats

AndroShield:automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution

European Digital Libraries: Web Security Vulnerabilities

Purpose – The purpose of this paper is to investigate the web vulnerability challenges at European library web sites and how these issues can affect the data protection of their patrons. Design/methodology/approach – A web vulnerability testing tool was used to analyze 80 European library sites in four countries to determine how many security vulnerabilities each had and what were the most common types of problems. Findings – Analysis results from surveying the libraries show the majority have serious security flaws in their web applications. The research shows that despite country-specific laws mandating secure sites, system librarians have not implemented appropriate measures to secure their online information systems. Research limitations/implications – Further research on library vulnerability throughout the world can be taken to educate librarians in other countries of the serious nature of protecting their systems. Practical implications – The findings serve to remind librarians of the complexity in providing a secure online environment for their patrons and that a disregard or lack of awareness of securing systems could lead to serious vulnerabilities of the patrons' personal data and systems. Lack of consumer trust may result in a decreased use of online commerce and have serious repercussions for the municipal libraries. Several concrete examples of methods to improve security are provided. Originality/value – The paper serves as a current paper on data security issues at Western European municipal library web sites. It serves as a useful summary regarding technical and managerial measures librarians can take to mitigate inadequacies in their security implementation