Integrating vulnerability risk into the software process
Authors: 
Onyeka Ezenwoye, Yi LiuAuthors Info & Claims
Onyeka Ezenwoye, Yi LiuAuthors Info & ClaimsPages 91 - 98
Abstract
Software developers often focus on the functional aspects of software and defer consideration of security vulnerabilities until late in the development process. Consequently, vulnerabilities plague contemporary software. This work presents an approach that leverages contemporary vulnerability data in determining risk for the type of software. A novel process model is used to infuse vulnerability risk into the specification, design and implementation phases of the software process. This approach brings security concerns to the forefront of the entire process. A case study demonstrates mitigation actions for specific weaknesses in each phase of development.
References
[1]
2011. CVE-2011-0774. https://nvd.nist.gov/vuln/detail/CVE-2011-0774.
[2]
2012. CVE-2012-0792. https://nvd.nist.gov/vuln/detail/CVE-2012-0792.
[3]
2015. CVE-2015-0943. https://nvd.nist.gov/vuln/detail/CVE-2015-0943.
[4]
S. Hassan Adelyar and Alex Norta. 2016. Towards a Secure Agile Software Development Process. In 10th International Conference on the Quality of Information and Communications Technology.
[5]
Abdulaziz Alkussayer and William Allen. 2010. The ISDF Framework: Towards Secure Software Development. Journal of Information Processing Systems 6 (Mar 2010).
[6]
Luk Arbuckle and Felix Ritchie. 2019. The Five Safes of Risk-based Anonymization. IEEE Security Privacy 17, 5 (2019), 84--89.
[7]
Gaurav Banga. 2020. Why is Cybersecurity Not a Human-scale Problem Anymore? Commun. ACM 63, 4 (Mar. 2020).
[8]
Barry Boehm. 1986. A Spiral Model of Software Development and Enhancement. SIGSOFT Softw. Eng. Notes 11, 4 (Aug. 1986), 14--24.
[9]
Bernd Bruegge and Allen H. Dutoit. 2009. Object-oriented Software Engineering Using UML, Patterns, and Java (3rd ed.). Prentice Hall Press.
[10]
The MITRE Corporation. 2021. Comprehensive CWE Dictionary. https://cwe.mitre.org/data/definitions/2000.html
[11]
The MITRE Corporation. 2021. Cryptographic Issues. https://cwe.mitre.org/data/definitions/310.html
[12]
Cybersecurity and Infrastructure Security Agency. 2021. Comprehensive, Lightweight Application Security Process. https://us-cert.cisa.gov/bsi/articles/best-practices/requirements-engineering/introduction-to-the-clasp-process
[13]
Eduardo B. Fernandez and Günther Pernul. 2006. Patterns for Session-based Access Control. In Proceedings of the 2006 Conference on Pattern Languages of Programs. Association for Computing Machinery, 10 pages.
[14]
Andrew Forward and Timothy C. Lethbridge. 2008. A Taxonomy of Software Types to Facilitate Search and Evidence-based Software Engineering. In Proceedings of the 2008 Conference of the Center for Advanced Studies on Collaborative Research: Meeting of Minds. Association for Computing Machinery, 13 pages.
[15]
Karen Goertzel, Theodore Winograd, Holly McKinley, and Patrick Holley. 2006. Security in the Software Lifecycle: Making Software Development Processes and the Software Produced by Them More Secure. U.S. Department of Homeland Security (Aug 2006).
[16]
Johan Gregoire, Koen Buyens, Bart De Win, Riccardo Scandariato, and Wouter Joosen. 2007. On the Secure Software Development Process: CLASP and SDL Compared. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems. IEEE Computer Society.
[17]
Jesper Hellström and Anton Moberg. 2019. A Lightweight Secure Development Process for Developers. Department of Computer and Information Science, Software and Systems, Linköping University (June 2019).
[18]
Hossein Homaei and Hamid Reza Shahriari. 2017. Seven Years of Software Vulnerabilities: The Ebb and Flow. IEEE Security Privacy 15 (Jan 2017).
[19]
Michael Howard and David LeBlanc. 2002. Writing Secure Code. Microsoft Press.
[20]
The Software Engineering Institute. 2002. Team Software Process for Secure Software Development. https://resources.sei.cmu.edu/asset_files/Presentation/2002_017_001_24393.pdf
[21]
Audun Jøsang, Marte Ødegaard, and Erlend Oftedal. 2015. Cybersecurity Through Secure Software Development. In Information Security Education Across the Curriculum, Matt Bishop, Natalia Miloslavskaya, and Marianthi Theocharidou (Eds.). Springer International Publishing.
[22]
Eunsuk Kang. 2016. Design Space Exploration for Security. In IEEE Cybersecurity Development. IEEE Computer Society.
[23]
David Lee, Brandon Steed, Yi Liu, and Onyeka Ezenwoye. 2021. Tutorial: A Lightweight Web Application for Software Vulnerability Demonstration. In 2021 IEEE Cybersecurity Development. IEEE Computer Society.
[24]
Nancy Leveson. 2020. Are You Sure Your Software Will Not Kill Anyone? Commun. ACM 63, 2 (Jan. 2020).
[25]
Steve Lipner. 2004. The Trustworthy Computing Security Development Lifecycle. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE Computer Society.
[26]
Gary McGraw. 2006. Software Security: Building Security In. Addison-Wesley Professional.
[27]
Vaishnavi Mohan, Lotfi Ben Othmane, and Andre Kres. 2018. BP: Security Concerns and Best Practices for Automation of Software Deployment Processes: An Industrial Case Study. In 2018 IEEE Cybersecurity Development. IEEE Computer Society.
[28]
Lars-Helge Netland, Yngve Espelid, and Khalid Azim Mughal. 2007. Security Pattern for Input Validation. In Fifth Nordic Conference on Pattern Languages of Programs.
[29]
National Institute of Standards and Technology. 2021. The Common Weakness Enumeration. https://nvd.nist.gov/vuln/categories
[30]
National Institute of Standards and Technology. 2021. National Vulnerability Database. https://nvd.nist.gov/
[31]
National Institute of Standards and Technology. 2021. Vulnerability Visualizations. https://nvd.nist.gov/General/Visualizations/Vulnerability-Visualizations
[32]
Lotfi ben Othmane, Pelin Angin, Harold Weffers, and Bharat Bhargava. 2014. Extending the Agile Development Process to Develop Acceptably Secure Software. IEEE Transactions on Dependable and Secure Computing 11, 6 (2014).
[33]
Serena Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2020. Detection, Assessment and Mitigation of Vulnerabilities in Open Source Dependencies. Empir. Softw. Eng. 25, 5 (2020).
[34]
The Open Web Application Security Project. 2021. OWASP Top 10 Web Application Security Risks. https://owasp.org/www-project-top-ten/
[35]
Adam Shostack. 2008. Experiences Threat Modeling at Microsoft. In Proceedings of the Workshop on Modeling Security.
[36]
Adam Shostack. 2014. Threat Modeling: Designing for Security. Wiley.
[37]
Ian Sommerville. 2015. Software Engineering. Pearson.
[38]
Richard Thaler, Cass Sunstein, and John Balz. 2013. Choice Architecture. In The Behavioral Foundations of Public Policy, Eldar Shafir (Ed.). Princeton University Press.
[39]
Richard H. Thaler and Cass R. Sunstein. 2008. Nudge. Yale University Press.
[40]
Katja Tuma, Gul Calikli, and Riccardo Scandariato. 2018. Threat Analysis of Software Systems: A Systematic Literature Review. Journal of Systems and Software 144 (Oct. 2018).
[41]
Tony Uceda Vélez and Marco M. Morana. 2015. Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley.
[42]
Karina Villela, Eduard C. Groen, and Joerg Doerr. 2019. Ubiquitous Requirements Engineering: A Paradigm Shift That Affects Everyone. IEEE Softw. 36, 2 (Mar 2019).
[43]
Jim Whitmore and William Tobin. 2017. Improving Attention to Security in Software Design with Analytics and Cognitive Techniques. In 2017 IEEE Cybersecurity Development.
[44]
Marilyn Wolf. 2019. Computer Security as Civil Defense. Computer 52, 1 (Jan. 2019).
[45]
Serkan Özkan. 2021. CVE Details. https://www.cvedetails.com/
Index Terms
- Integrating vulnerability risk into the software process
Recommendations
Assessing vulnerability exploitability risk using software properties
Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public ...
Agents of responsibility in software vulnerability processes
Modern software is infested with flaws having information security aspects. Pervasive computing has made us and our society vulnerable. However, software developers do not fully comprehend what is at stake when faulty software is produced and flaws ...
Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability
HASE '14: Proceedings of the 2014 IEEE 15th International Symposium on High-Assurance Systems EngineeringAn unpatched vulnerability can lead to security breaches. When a new vulnerability is discovered, it needs to be assessed so that it can be prioritized. A major challenge in software security is the assessment of the potential risk due to vulnerability ...
Comments
Information & Contributors
Information
Published In
April 2022
267 pages
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 May 2022
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ACM SE '22
Sponsor:
Acceptance Rates
Overall Acceptance Rate 502 of 1,023 submissions, 49%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 93Total Downloads
- Downloads (Last 12 months)14
- Downloads (Last 6 weeks)3
Reflects downloads up to 07 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in