356 research outputs found
My Software has a Vulnerability, should I worry?
(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS
score to measure the individual vulnerability risk and act accordingly: an HIGH
CVSS score according to the NVD (National (U.S.) Vulnerability Database) is
therefore translated into a "Yes". A key issue is whether such rule is
economically sensible, in particular if reported vulnerabilities have been
actually exploited in the wild, and whether the risk score do actually match
the risk of actual exploitation.
We compare the NVD dataset with two additional datasets, the EDB for the
white market of vulnerabilities (such as those present in Metasploit), and the
EKITS for the exploits traded in the black market. We benchmark them against
Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We
analyze the whole spectrum of CVSS submetrics and use these characteristics to
perform a case-controlled analysis of CVSS scores (similar to those used to
link lung cancer and smoking) to test its reliability as a risk factor for
actual exploitation.
We conclude that (a) fixing just because a high CVSS score in NVD only yields
negligible risk reduction, (b) the additional existence of proof of concepts
exploits (e.g. in EDB) may yield some additional but not large risk reduction,
(c) fixing in response to presence in black markets yields the equivalent risk
reduction of wearing safety belt in cars (you might also die but still..). On
the negative side, our study shows that as industry we miss a metric with high
specificity (ruling out vulns for which we shouldn't worry).
In order to address the feedback from BlackHat 2013's audience, the final
revision (V3) provides additional data in Appendix A detailing how the control
variables in the study affect the results.Comment: 12 pages, 4 figure
A preliminary analysis of vulnerability scores for attacks in wild
NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of at- tacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabili- ties currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM). Our nal conclusion is that the NVD and EDB databases are not a reliable source of in- formation for exploits in the wild, even after controlling for the CVSS and exploitability subscore. An high or medium CVSS score shows only a signi cant sensitivity (i.e. prediction of attacks in the wild) for vulnerabilities present in exploit kits (EKITS) in the black market. All datasets ex- hibit a low speci city
The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities
In spite of the growing importance of software security and the industry
demand for more cyber security expertise in the workforce, the effect of
security education and experience on the ability to assess complex software
security problems has only been recently investigated. As proxy for the full
range of software security skills, we considered the problem of assessing the
severity of software vulnerabilities by means of a structured analysis
methodology widely used in industry (i.e. the Common Vulnerability Scoring
System (\CVSS) v3), and designed a study to compare how accurately individuals
with background in information technology but different professional experience
and education in cyber security are able to assess the severity of software
vulnerabilities. Our results provide some structural insights into the complex
relationship between education or experience of assessors and the quality of
their assessments. In particular we find that individual characteristics matter
more than professional experience or formal education; apparently it is the
\emph{combination} of skills that one owns (including the actual knowledge of
the system under study), rather than the specialization or the years of
experience, to influence more the assessment quality. Similarly, we find that
the overall advantage given by professional expertise significantly depends on
the composition of the individual security skills as well as on the available
information.Comment: Presented at the Workshop on the Economics of Information Security
(WEIS 2018), Innsbruck, Austria, June 201
Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks
In finance, leverage is the ratio between assets borrowed from others and
one's own assets. A matching situation is present in software: by using free
open-source software (FOSS) libraries a developer leverages on other people's
code to multiply the offered functionalities with a much smaller own codebase.
In finance as in software, leverage magnifies profits when returns from
borrowing exceed costs of integration, but it may also magnify losses, in
particular in the presence of security vulnerabilities. We aim to understand
the level of technical leverage in the FOSS ecosystem and whether it can be a
potential source of security vulnerabilities. Also, we introduce two metrics
change distance and change direction to capture the amount and the evolution of
the dependency on third-party libraries.
The application of the proposed metrics on 8494 distinct library versions
from the FOSS Maven-based Java libraries shows that small and medium libraries
(less than 100KLoC) have disproportionately more leverage on FOSS dependencies
in comparison to large libraries. We show that leverage pays off as leveraged
libraries only add a 4% delay in the time interval between library releases
while providing four times more code than their own. However, libraries with
such leverage (i.e., 75% of libraries in our sample) also have 1.6 higher odds
of being vulnerable in comparison to the libraries with lower leverage.
We provide an online demo for computing the proposed metrics for real-world
software libraries available under the following URL: https://techleverage.eu/.Comment: 14 pages, 5 figures, to be published in Proceedings of International
Conference on Software Engineering (ICSE 2021
Are Software Updates Useless Against Advanced Persistent Threats?
A dilemma worth Shakespeare's Hamlet is increasingly haunting companies and
security researchers: ``to update or not to update, this is the question``.
From the perspective of recommended common practices by software vendors the
answer is unambiguous: you should keep your software up-to-date. But is common
sense always good sense? We argue it is not
- …