Report: Measuring the Attack Surfaces of Enterprise Software

Manadhata, Pratyusa K.; Karabulut, Yuecel; Wing, Jeannette M.

doi:10.1007/978-3-642-00199-4_8

Pratyusa K. Manadhata¹⁹,
Yuecel Karabulut²⁰ &
Jeannette M. Wing¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5429))

Included in the following conference series:

International Symposium on Engineering Secure Software and Systems

548 Accesses
9 Citations

Abstract

Software vendors are increasingly concerned about mitigating the security risk of their software. Code quality improvement is a traditional approach to mitigate security risk; measuring and reducing the attack surface of software is a complementary approach. In this paper, we apply a method for measuring attack surfaces to enterprise software written in Java. We implement a tool as an Eclipse plugin to measure an SAP software system’s attack surface in an automated manner. We demonstrate the feasibility of our approach by measuring the attack surfaces of three versions of an SAP software system. We envision our measurement method and tool to be useful to software developers for improving software security and quality.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

A hierarchical model for quantifying software security based on static analysis alerts and software metrics

Article 15 May 2021

Architecture-Based Attack Path Analysis for Identifying Potential Security Incidents

Understanding the behaviour of hackers while performing attack tasks in a professional setting and in a public challenge

Article 26 May 2018

References

Howard, M.: Fending off future attacks by reducing attack surface (2003), http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure02132003.asp
Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Proc. of Workshop on Advanced Developments in Software and Systems Security (2003)
Google Scholar
Manadhata, P.K., Kaynar, D.K., Wing, J.M.: A formal model for a system’s attack surface. Technical Report CMU-CS-07-144, CMU (July 2007)
Google Scholar
Ag, S.: NetWeaver, http://www.sap.com/platform/netweaver/index.epx
Eclipse: Eclipse - An open development platform, http://www.eclipse.org/
Sharp, M., Sawin, J., Rountev, A.: Building a whole-program type analysis in Eclipse. In: Eclipse Technology Exchange Workshop at OOPSLA, pp. 6–10 (2005)
Google Scholar
Eclipse: Eclipse package org.eclipse.jdt.internal.corext.callhierarchy, http://mobius.inria.fr/eclipse-doc/org/eclipse/jdt/internal/corext/callhierarchy/package-summary.html
Manadhata, P.K., Tan, K.M., Maxion, R.A., Wing, J.M.: An approach to measuring a system’s attack surface. Technical Report CMU-CS-07-146, CMU (2007)
Google Scholar

Download references

Author information

Authors and Affiliations

Carnegie Mellon Univeristy, Pittsburgh, PA, USA
Pratyusa K. Manadhata & Jeannette M. Wing
SAP Research, Palo Alto, CA, USA
Yuecel Karabulut

Authors

Pratyusa K. Manadhata
View author publications
You can also search for this author in PubMed Google Scholar
Yuecel Karabulut
View author publications
You can also search for this author in PubMed Google Scholar
Jeannette M. Wing
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

University of Trento, Povo (Trento), Italy
Fabio Massacci
Department of Computer Science, James Madison University, VA 22807, Harrisonburg, USA
Samuel T. Redwine Jr.
Department of Computer Science, University of Toronto, ON, Canada
Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Manadhata, P.K., Karabulut, Y., Wing, J.M. (2009). Report: Measuring the Attack Surfaces of Enterprise Software. In: Massacci, F., Redwine, S.T., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2009. Lecture Notes in Computer Science, vol 5429. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00199-4_8

Download citation

DOI: https://doi.org/10.1007/978-3-642-00199-4_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00198-7
Online ISBN: 978-3-642-00199-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics