Justin Whitaker
William Enck
ABSTRACT
The importance of secure development of new technologies is unquestioned, yet the best methods to achieve this goal are far from certain. A key issue is that while significant effort is given to evaluating the outcomes of development (e.g., security of a given project), it is far more difficult to determine what organizational practices result in secure projects. In this paper, we quantitatively examine efforts to improve the consideration of security in Requests for Comments (RFCs)--- the design documents for the Internet and many related systems --- through the mandates and guidelines issued to RFC authors. We begin by identifying six metrics that quantify the quantity and quality of security informative content. We then apply these metrics longitudinally over 8,437 documents and 49 years of development to determine whether guidance to RFC authors changed these security metrics in later documents. We find that even a simply worded --- but effectively enforced --- mandate to explicitly consider security created a significant effect in increased discussion and topic coverage of security content both in and outside of a mandated security considerations section. We find that later guidelines with more detailed advice on security also improve both volume and quality of security informative content in RFCs. Our work demonstrates that even modest amounts of guidance can correlate to significant improvements in security focus in RFCs, indicating a promising approach for other network standards bodies.
- 2019. Internet Engineering Task Force. https://www.ietf.org/.Google Scholar
- 2019. RFC Editor. https://www.rfc-editor.orgGoogle Scholar
- Y. Acar, C. Stransky , D. Wermke, C. Weir , M. L. Mazurek, and S. Fahl. 2017. Developers Need Support, Too: A Survey of Security Advice for Software Developers. In 2017 IEEE Cybersecurity Development (SecDev). 22--26.Google Scholar
- Chetan Arora, Mehrdad Sabetzadeh, Lionel C. Briand, and Frank Zimmer. 2015. Automated Checking of Conformance to Requirements Templates Using Natural Language Processing. IEEE Transactions on Software Engineering, Vol. 41 (2015), 944--968.Google ScholarDigital Library
- David Basin, Jannik Dreier, Lucca Hirschi, Saga Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS '18). ACM, New York, NY, USA, 1383--1396. https://doi.org/10.1145/3243734.3243846Google ScholarDigital Library
- M. Bjorklund, J. Schoenwaelder, P. Shafer, K. Watsen, and R. Wilton. 2018. Network Management Datastore Architecture (NMDA). RFC 8342. RFC Editor.Google Scholar
- D Ceccarelli and Y Lee. 2018. Framework for Abstraction and Control of TE Networks (ACTN). RFC 8453. RFC Editor.Google Scholar
- Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M Maggs, Alan Mislove, and Christo Wilson. 2017. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In 26th USENIX Security Symposium. 1307--1322.Google Scholar
- Cas Cremers and Martin Dehnel-Wild. 2019. Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. In Proceedings 2019 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. https://doi.org/10.14722/ndss.2019.23394Google ScholarCross Ref
- Steve Crocker. 1969. Host Software. RFC 1. RFC Editor.Google Scholar
- Breno Dantas Cruz, Bargav Jayaraman, Anurag Dwarakanath, and Collin McMillan. 2017. Detecting Vague Words & Phrases in Requirements Documents in a Multilingual Environment. 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), 233--242.Google ScholarCross Ref
- Alex Dekhtyar and Vivian Fong. 2017. RE Data Challenge: Requirements Identification with Word2Vec and TensorFlow. 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), 484--489.Google ScholarCross Ref
- Vaibhav Hemant Dixit, Adam Doupé, Yan Shoshitaishvili, Ziming Zhao, and Gail-Joon Ahn. 2018. AIM-SDN: Attacking Information Mismanagement in SDN-datastores. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 664--676.Google ScholarDigital Library
- Alessio Ferrari, Beatrice Donati, and Stefania Gnesi. 2017. Detecting Domain-Specific Ambiguities: An NLP Approach Based on Wikipedia Crawling and Word Embeddings. 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW) (2017), 393--399.Google Scholar
- Alessio Ferrari, Giuseppe Lipari, Stefania Gnesi, and Giorgio Oronzo Spagnolo. 2014. Pragmatic ambiguity detection in natural language requirements. 2014 IEEE 1st International Workshop on Artificial Intelligence for Requirements Engineering (AIRE) (2014), 1--8.Google ScholarCross Ref
- H Flanagan and S Ginoza. 2014. RFC Style Guide. RFC 7322. RFC Editor. https://www.rfc-editor.org/rfc/rfc7322.txtGoogle Scholar
- Deen Freelon. 2010. Intercoder Reliability Calculation as a Web Service.Google Scholar
- Deen Freelon. 2013. ReCal OIR: Ordinal, Interval, and Ratio Intercoder Reliability as a Web Service.Google Scholar
- Michael Gegick, Pete Rotella, and Laurie A. Williams. 2009. Toward Non-security Failures as a Predictor of Security Faults and Failures. In ESSoS.Google Scholar
- Michael Gegick, Pete Rotella, and Tao Xie. 2010. Identifying security bug reports via text mining: An industrial case study. 2010 7th IEEE Working Conference on Mining Software Repositories (MSR 2010) (2010), 11--20.Google ScholarCross Ref
- Michael Gegick and Laurie L. Williams. 2007. Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components. Second International Conference on Internet Monitoring and Protection (ICIMP 2007) (2007), 18--18.Google Scholar
- Stefania Gnesi, Giuseppe Lami, and Gianluca Trentanni. 2005. An automatic tool for the analysis of natural language requirements. Comput. Syst. Sci. Eng., Vol. 20 (2005).Google Scholar
- Sharon Goldberg. 2014. Why is it taking so long to secure internet routing? Commun. ACM, Vol. 57, 10 (2014), 56--63.Google ScholarDigital Library
- Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. 2014. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering. ACM, 1025--1035.Google ScholarDigital Library
- Emitza Guzman, Rana Mohammed A. Alkadhi, and Norbert Seyff. 2016. A Needle in a Haystack: What Do Twitter Users Say about Software? 2016 IEEE 24th International Requirements Engineering Conference (RE) (2016), 96--105.Google ScholarCross Ref
- Hamza Harkous, Kassem Fawaz, Rémi Lebret, Florian Schaub, Kang G. Shin, and Karl Aberer. 2018. Polisis: Automated Analysis and Presentation of Privacy Policies Using Deep Learning. In USENIX Security Symposium.Google Scholar
- Ghaith Husari, Ehab Al-Shaer, Mohiuddin Ahmed, Bill Chu, and Xi Niu. 2017. TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017). ACM, New York, NY, USA, 103--115.Google ScholarDigital Library
- Georgi M. Kanchev, Pradeep K. Murukannaiah, Amit K. Chopra, and Peter Sawyer. 2017. Canary: Extracting Requirements-Related Information from Online Discussions. 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), 31--40.Google ScholarCross Ref
- Jason King, Rahul Pandita, and Laurie A. Williams. 2015. Enabling forensics by proposing heuristics to identify mandatory log events. In HotSoS.Google Scholar
- Zijad Kurtanovic and Walid Maalej. 2017. Mining User Rationale from Software Reviews. 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), 61--70.Google ScholarCross Ref
- Walid Maalej and Hadeer Nabil. 2015. Bug report, feature request, or simply praise? On automatically classifying app reviews. 2015 IEEE 23rd International Requirements Engineering Conference (RE) (2015), 116--125.Google ScholarCross Ref
- Aaron K. Massey, Richard L. Rutledge, Annie I. Antón, and Peter P. Swire. 2014. Identifying and classifying ambiguity for regulatory requirements. 2014 IEEE 22nd International Requirements Engineering Conference (RE) (2014), 83--92.Google ScholarCross Ref
- Nadia Patricia Da Silva Medeiros, Naghmeh Ivaki, Pedro Costa, and Marco Vieira. 2017. Software Metrics as Indicators of Security Vulnerabilities. IEEE 28th International Symposium on Software Reliability Engineering (2017), 216--227.Google Scholar
- Patrick Morrison, Benjamin A H Smith, and Laurie A. Williams. 2017. Measuring Security Practice Use: A Case Study at IBM. 2017 IEEE/ACM 5th International Workshop on Conducting Empirical Studies in Industry (CESI) (2017), 16--22.Google ScholarDigital Library
- Mavuto Mukaka. 2012. Statistics corner: A guide to appropriate use of correlation coefficient in medical research. Malawi medical journal: the journal of Medical Association of Malawi, Vol. 24 3 (2012), 69--71.Google Scholar
- Nuthan Munaiah, Andrew Meneely, and Pradeep K. Murukannaiah. 2017. A Domain-Independent Model for Identifying Security Requirements. 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), 506--511.Google ScholarCross Ref
- Tuong Huan Nguyen, John C. Grundy, and Mohamed Almorsy. 2014. GUITAR: An ontology-based automated requirements analysis tool. 2014 IEEE 22nd International Requirements Engineering Conference (RE) (2014), 315--316.Google ScholarCross Ref
- Olga Ormandjieva, Ishrar Hussain, and Leila Kosseim. 2007. Toward a text classification system for the quality assessment of software requirements written in natural language. In SOQUA .Google Scholar
- Rahul Pandita, Kunal Taneja, Laurie A. Williams, and Teresa Tung. 2016. ICON: Inferring Temporal Constraints from Natural Language API Descriptions. 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME) (2016), 378--388.Google ScholarCross Ref
- Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications.. In USENIX Security Symposium, Vol. 2013.Google ScholarDigital Library
- D. Piper. 1998. The Internet IP Security Domain of Interpretation for ISAKMP. RFC 2407. RFC Editor.Google Scholar
- J Postel. 1993. Instructions to RFC Authors. RFC 1543. RFC Editor. https://www.rfc-editor.org/rfc/rfc1543.txtGoogle Scholar
- J Postel and J Reynolds. 1997. Instructions to RFC Authors. RFC 2223. RFC Editor.Google Scholar
- Akond Rahman, Priysha Pradhan, Asif Partho, and Laurie A. Williams. 2017. Predicting Android Application Security and Privacy Risk with Static Code Metrics. 2017 IEEE/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft) (2017), 149--153.Google Scholar
- A Rajarman and J Ullman. 2011. "Mining of Massive Datasets". 1--17 pages.Google Scholar
- E Rescorla. 2033. Guidelines for Writing RFC Text on Security Considerations. RFC 3552. RFC Editor. https://www.rfc-editor.org/rfc/rfc3552.txtGoogle Scholar
- J Reynolds and J Postel. 1990. Assigned Numbers. RFC 1060. RFC Editor. https://www.rfc-editor.org/rfc/rfc1060.txtGoogle Scholar
- Shlomo S Sawilowsky. 2009. New effect size rules of thumb. (2009).Google Scholar
- Yonghee Shin, Andrew Meneely, Laurie A. Williams, and Jason A. Osborne. 2011. Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities. IEEE Transactions on Software Engineering, Vol. 37 (2011), 772--787.Google ScholarDigital Library
- Yonghee Shin and Laurie A. Williams. 2011. An initial study on the use of execution complexity metrics as indicators of software vulnerabilities. In SESS@ICSE .Google Scholar
- Maninder Singh. 2018. Automated Validation of Requirement Reviews: A Machine Learning Approach. 2018 IEEE 26th International Requirements Engineering Conference (RE) (2018), 460--465.Google Scholar
- Ben H. Smith and Laurie A. Williams. 2011. Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities. 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation (2011), 220--229.Google Scholar
- John W. Stamey and Ryan A. Rossi. 2009. Automatically identifying relations in privacy policies. In SIGDOC.Google Scholar
- M. Stapp, T. Lemon, and A. Gustafsson. 2006. A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR). RFC 4701. RFC Editor.Google Scholar
- M. Stiemerling, J. Quittek, and T. Taylor. 2005. Middlebox Communications (MIDCOM) Protocol Semantics. RFC 3989. RFC Editor.Google Scholar
- Saurabh Tiwari and Mayank Laddha. 2017. UCAnalyzer: A Tool to Analyze Use Case Textual Descriptions. 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), 448--449.Google ScholarCross Ref
- Alexander van den Berghe, Koen Yskout, Riccardo Scandariato, and Wouter Joosen. 2018. A Lingua Franca for Security by Design. 2018 IEEE Cybersecurity Development (SecDev) (2018), 69--76.Google Scholar
- Mathy Vanhoef and Frank Piessens. 2017. Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 1313--1328. https://doi.org/10.1145/3133956.3134027Google ScholarDigital Library
- Theresa Wilson, Janyce Wiebe, and Paul Hoffmann. 2005. Recognizing contextual polarity in phrase-level sentiment analysis. In Proceedings of Human Language Technology Conference and Conference on Empirical Methods in Natural Language Processing.Google ScholarDigital Library
- Xusheng Xiao, Amit M. Paradkar, Suresh Thummalapenta, and Tao Xie. 2012. Automated extraction of security policies from natural-language software documents. In SIGSOFT FSE .Google Scholar
- Hui Yang, Anne N. De Roeck, Vincenzo Gervasi, Alistair Willis, and Bashar Nuseibeh. 2011. Analysing anaphoric ambiguity in natural language requirements. Requirements Engineering, Vol. 16 (2011), 163--189.Google ScholarDigital Library
- Razieh Nokhbeh Zaeem, Rachel L. German, and K. Suzanne Barber. 2018. PrivacyCheck: Automatic Summarization of Privacy Policies Using Data Mining. ACM Trans. Internet Techn., Vol. 18 (2018), 53:1--53:18.Google ScholarDigital Library
- Thomas Zimmermann, Nachiappan Nagappan, and Laurie A. Williams. 2010. Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista. 2010 Third International Conference on Software Testing, Verification and Validation (2010), 421--428.Google ScholarDigital Library
Index Terms
- Thou Shalt Discuss Security: Quantifying the Impacts of Instructions to RFC Authors
Recommendations
On virtual private networks security design issues
The concept of virtual private networks (VPNs) provides all economical and efficient solution on communicating private information securely over public network infrastructure.In this paper, we discuss two issues on the design of VPN. We first propose ...
Data Security and risks for IoT in intercommunicating objects
BDCA'17: Proceedings of the 2nd international Conference on Big Data, Cloud and ApplicationsNowadays Internet of Things" (IoT) codes are passive entities that encode information, The goal of this work is to give explicit interconnections between IoT specifications and interpreting IoT codes and information's in order to exchange information to ...
A Security Architecture for Intranet Based on Security Area Division
IITSI '10: Proceedings of the 2010 Third International Symposium on Intelligent Information Technology and Security InformaticsAiming at the security requirement of the Intranet that is different from Internet, an security architecture for Intranet is proposed. In physical layer and data link layer, based on network switch the intranet is divided into several parts separated ...
Comments