A Screening Test for Disclosed Vulnerabilities in FOSS Components

Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities—in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes. Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all

Who should pay for interdependent risk? Policy implications for security interdependence among airports

We study interdependent risks in security, and shed light on the economic and policy implications of increasing security interdependence in presence of reactive attackers. We investigate the impact of potential public policy arrangements on the security of a group of interdependent organizations, namely, airports. Focusing on security expenditures and costs to society, as assessed by a social planner, to individual airports and to attackers, we first develop a game‐theoretic framework, and derive explicit Nash equilibrium and socially optimal solutions in the airports network. We then conduct numerical experiments mirroring real‐world cyber scenarios, to assess how a change in interdependence impact the airports' security expenditures, the overall expected costs to society, and the fairness of security financing. Our study provides insights on the economic and policy implications for the United States, Europe, and Asia

A new, evidence-based, theory for knowledge reuse in security risk analysis

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications

Measuring the accuracy of software vulnerability assessments: experiments with students and professionals

Assessing the risks of software vulnerabilities is a key process of software development and security management. This assessment requires to consider multiple factors (technical features, operational environment, involved assets, status of the vulnerability lifecycle, etc.) and may depend from the assessor's knowledge and skills. In this work, we tackle with an important part of this problem by measuring the accuracy of technical vulnerability assessments by assessors with dierent level and type of knowledge. We report an experiment to compare how accurately students with dierent technical education and security professionals are able to assess the severity of software vulnerabilities with the Common Vulnerability Scoring System (v3) industry methodology. Our results could be useful for increasing awareness about the intrinsic subtleties of vulnerability risk assessment and possibly better compliance with regulations. With respect to academic education, professional training and human resources selections our work suggests that measuring the effects of knowledge and expertise on the accuracy of software security assessments is feasible albeit not easy

IT Interdependence and the Economic Fairness of Cyber-security Regulations for Civil Aviation

Interviews about emerging cybersecurity threats and a cybersecurity public policy economic model for civil aviation illustrate stakeholders' concerns: interdependency issues can lead to aviation regulations that put smaller airports at a disadvantage

Is the Salmonella contamination of swine carcasses at slaughter related to the Salmonella load in caecum?

The aim of this study was to examine the relationship between the load of Salmonella spp. in caeca and the carcass contamination in an Italian slaughterhouse. The sampling scheme was designed to be representative of the pigs slaughtered in a day and to estimate a 12% prevalence of pigs highly contaminated by Salmonella spp. (HCP, cecal load ≥3log). Environmental swabs were taken before slaughter. Cecal contents and carcass swabs were collected from the same pig. Salmonella MPN were estimated according to ISO6579- 2:2012/A1 and ISO7218:2007/E. The overall Salmonella prevalence were 34.64% and 7.19% for ceca and carcasses respectively, with S. Derby and S. 4,[5],12:i:- being the prevalent serotypes. The HCP prevalence was 11.44%. 7/59 environmental swabs tested positive; when the same serotype was isolated from the environment and from carcasses, the samples were excluded from further analysis. Statistical analysis was performed to investigate the relationship between Salmonella spp. loads in the cecum and contamination of the carcass of the same pig and the prevalence of HCP and the contamination of carcasses on the same day. For this purpose, the days were classified as “high prevalence days” depending on the proportion of caeca resulted positive (≥36%) and as “high load” days depending on the prevalence of HCP (≥10%). A correlation between the contamination of carcasses and the cecal Salmonella loads of the same animal was found (Spearman’s correlation coefficient: 0.2254; p-value=0.0001). No correlation was found between the contamination of carcasses and the categorization of the day of sampling as “high prevalence day”. Conversely, a correlation was found between the contamination of carcasses and the “high load” category of the sampling day (Wilcoxon test, p=0.0011). Notably, not the prevalence of pigs carrying Salmonella spp. but the prevalence of highly contaminated pigs was shown to be related to the contamination of carcasses

Automated Synthesis of Tableau Calculi

This paper presents a method for synthesising sound and complete tableau calculi. Given a specification of the formal semantics of a logic, the method generates a set of tableau inference rules that can then be used to reason within the logic. The method guarantees that the generated rules form a calculus which is sound and constructively complete. If the logic can be shown to admit finite filtration with respect to a well-defined first-order semantics then adding a general blocking mechanism provides a terminating tableau calculus. The process of generating tableau rules can be completely automated and produces, together with the blocking mechanism, an automated procedure for generating tableau decision procedures. For illustration we show the workability of the approach for a description logic with transitive roles and propositional intuitionistic logic.Comment: 32 page

Dietary Saccharomyces cerevisiae boulardii CNCM I-1079 positively affects performance and intestinal ecosystem in broilers during a campylobacter jejuni infection

In poultry production, probiotics have shown promise to limit campylobacteriosis at the farm level, the most commonly reported zoonosis in Europe. The aim of this trial was to evaluate the effects of Saccharomyces supplementation in Campylobacter jejuni challenged chickens on performance and intestinal ecosystem. A total of 156 day old male Ross 308 chicks were assigned to a basal control diet (C) or to a Saccharomyces cerevisiae boulardii CNCM I-1079 supplemented diet (S). All the birds were orally challenged with C. jejuni on day (d) 21. Live weight and growth performance were evaluated on days 1, 21, 28 and 40. The histology of intestinal mucosa was analyzed and the gut microbiota composition was assessed by 16S rRNA. Performance throughout the trial as well as villi length and crypt depth were positively influenced by yeast supplementation. A higher abundance of operational taxonomic units (OTUs) annotated as Lactobacillus reuteri and Faecalibacterium prausnitzii and a lower abundance of Campylobacter in fecal samples from S compared to the C group were reported. Supplementation with Saccharomyces cerevisiae boulardii can effectively modulate the intestinal ecosystem, leading to a higher abundance of beneficial microorganisms and modifying the intestinal mucosa architecture, with a subsequent improvement of the broilers' growth performance