3 research outputs found
Software Technology Maturation and Software Security
Software technology maturation, also referred to as technology transfer, is as difficult as it is rare, mostly because of the time scale involved. Software maturation is defined as the process of taking a piece of technology from conception to popularization. Frequently, software engineers and developers tend to oversimplify the problems of technology transfer. They attribute problems to management pressures that complicate the use of software-engineering practices. However, a good understanding of the processes and problems is necessary to effectively tackle the technology-transfer problem. Without that understanding, the transfer of inappropriate technology to an organization without the maturity to understand and absorb it is likely to do harm, rather than to bring benefits. This research aims to answer two research questions regarding the technology maturation. Namely, is Redwine and Riddle's "Software Technology Maturation" study the accepted and gold standard within the software engineering discipline for assessing the maturation of software technology? Secondly, can the software technology maturation study be applied to other areas of software technology? The purpose of this research is to answer these questions of interest which will serve as the basis for the second implementation; applying the Redwine and Riddle criteria to the comparatively young discipline of software security. The primary goal for the second implementation is to explore and extend the second research question and demonstrate the maturity phases for the field of software security
Partially-Observable Security Games for Automating Attack-Defense Analysis
Network systems often contain vulnerabilities that remain unfixed in a
network for various reasons, such as the lack of a patch or knowledge to fix
them. With the presence of such residual vulnerabilities, the network
administrator should properly react to the malicious activities or proactively
prevent them, by applying suitable countermeasures that minimize the likelihood
of an attack by the attacker. In this paper, we propose a stochastic
game-theoretic approach for analyzing network security and synthesizing defense
strategies to protect a network. To support analysis under partial observation,
where some of the attacker's activities are unobservable or undetectable by the
defender, we construct a one-sided partially observable security game and
transform it into a perfect game for further analysis. We prove that this
transformation is sound for a sub-class of security games and a subset of
properties specified in the logic rPATL. We implement a prototype that fully
automates our approach, and evaluate it by conducting experiments on a
real-life network
DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees
This paper presents the current state of the art on attack and defense
modeling approaches that are based on directed acyclic graphs (DAGs). DAGs
allow for a hierarchical decomposition of complex scenarios into simple, easily
understandable and quantifiable actions. Methods based on threat trees and
Bayesian networks are two well-known approaches to security modeling. However
there exist more than 30 DAG-based methodologies, each having different
features and goals. The objective of this survey is to present a complete
overview of graphical attack and defense modeling techniques based on DAGs.
This consists of summarizing the existing methodologies, comparing their
features and proposing a taxonomy of the described formalisms. This article
also supports the selection of an adequate modeling technique depending on user
requirements