short-paper

Advisory: vulnerability analysis in software development project dependencies

Authors:

Germán Márquez,

José A. Galindo,

Ángel Jesús Varela-Vaca,

María Teresa Gómez López,

David BenavidesAuthors Info & Claims

SPLC '22: Proceedings of the 26th ACM International Systems and Software Product Line Conference - Volume B

Pages 99 - 102

https://doi.org/10.1145/3503229.3547058

Published: 12 September 2022 Publication History

Get Access

Abstract

Security has become a crucial factor in the development of software systems. The number of dependencies in software systems is becoming a source of countless bugs and vulnerabilities. In the past, the product line community has proposed several techniques and mechanisms to cope with the problems that arise when dealing with variability and dependency management in such systems. In this paper, we present Advisory, a solution that allows automated dependency analysis for vulnerabilities within software projects based on techniques from the product line community. Advisory first inspects software dependencies, then generates a dependency graph, to which security information about vulnerabilities is attributed and translated into a formal model, in this case, based on SMT. Finally, Advisory provides a set of analysis and reasoning operations on these models that allow extracting helpful information about the location of vulnerabilities of the project configuration space, as well as details for advising on the security risk of these projects and their possible configurations.

References

[1]

Paolo Arcaini, Angelo Gargantini, and Paolo Vavassori. 2015. Generating tests for detecting faults in feature models. In 2015 IEEE 8th ICST. IEEE, 1--10.

Google Scholar

[2]

Jan Bosch. 2018. Towards a new digital business operating system: Speed, data, ecosystems, and empowerment (keynote). In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). 2--2.

Crossref

Google Scholar

[3]

Shuvalaxmi Dass and Akbar Siami Namin. 2020. Vulnerability Coverage for Adequacy Security Testing. In 35th Annual ACM Symposium on Applied Computing (Brno, Czech Republic) (SAC '20). ACM, New York, NY, USA, 540--543.

Digital Library

Google Scholar

[4]

José Angel Galindo Duarte. 2015. Evolution, testing and configuration of variability systems intensive. Ph. D. Dissertation. University of Rennes 1, France.

Google Scholar

[5]

José Angel Galindo, David Benavides, and Sergio Segura. 2010. Debian Packages Repositories as Software Product Line Models. Towards Automated Analysis. In ACOTA, Belgium, September, 2010, Vol. 688. CEUR-WS.org, 29--34.

Google Scholar

[6]

José A Galindo, David Benavides, Pablo Trinidad, Antonio-Manuel Gutiérrez-Fernández, and Antonio Ruiz-Cortés. 2019. Automated analysis of feature models: Quo vadis? Computing 101, 5 (2019), 387--433.

Digital Library

Google Scholar

[7]

Wenhui Hu, Yu Wang, Xueyang Liu, Jinan Sun, Qing Gao, and Yu Huang. 2019. Open source software vulnerability propagation analysis algorithm based on knowledge graph. In 2019 IEEE SmartCloud. 121--127.

Google Scholar

[8]

Jeffrey R. Jones. 2007. Estimating Software Vulnerabilities. IEEE Security Privacy 5, 4 (2007), 28--32.

Digital Library

Google Scholar

[9]

P.V.R. Murthy and R.G. Shilpa. 2018. Vulnerability Coverage Criteria for Security Testing of Web Applications. In 2018 ICACCI. 489--494.

Crossref

Google Scholar

[10]

Salvador Martínez Perez, Valerio Cosentino, and Jordi Cabot. 2017. Model-based analysis of Java EE web security misconfigurations. Comput. Lang. Syst. Struct. 49 (2017), 36--61.

Digital Library

Google Scholar

[11]

Ángel Jesús Varela-Vaca, Rafael M. Gasca, Jose Antonio Carmona-Fombella, and María Teresa Gómez López. 2020. AMADEUS: towards the AutoMAteD secUrity teSting. In 24th ACM SPLC '20, Montreal, Quebec, Canada, October 19-23, 2020, Volume A. ACM, 11:1--11:12.

Digital Library

Google Scholar

[12]

Tarun Yadav and Arvind Mallari Rao. 2015. Technical Aspects of Cyber Kill Chain. In Security in Computing and Communications. 438--452.

Google Scholar

Cited By

View all

Germán Márquez AVarela-Vaca ÁGómez López MGalindo JBenavides D(2024)Vulnerability impact analysis in software project dependencies based on Satisfiability Modulo Theories (SMT)Computers and Security10.1016/j.cose.2023.103669139:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103669
Galindo JHorcas JFelferning AFernandez-Amoros DBenavides D(2023)FLAMAProceedings of the 27th ACM International Systems and Software Product Line Conference - Volume B10.1145/3579028.3609008(16-19)Online publication date: 28-Aug-2023
https://dl.acm.org/doi/10.1145/3579028.3609008

Index Terms

Advisory: vulnerability analysis in software development project dependencies
1. Software and its engineering
  1. Software creation and management
    1. Designing software
    2. Software development techniques
      1. Reusability
        Software product lines

Recommendations

Prevention of Cyber-Attacks and Privacy Breaches in Healthcare Sector
Computational Science and Its Applications – ICCSA 2023 Workshops
Abstract
Periodically, analysts in the cybersecurity sector, collect and share relevant data about recent cybercrime trends. These insights cover many aspects of the current cyber-threat scenario, including actors involved, motivations of the attacks, ...
Vulnerability Prioritization, Root Cause Analysis, and Mitigation of Secure Data Analytic Framework Implemented with MongoDB on Singularity Linux Containers
ICCDA '20: Proceedings of the 2020 4th International Conference on Compute and Data Analysis

A Vulnerability Management system is a disciplined, programmatic approach to discover and mitigate vulnerabilities in a system. While securing systems from data exploitation and theft, Vulnerability Management works as a cyclical practice of identifying,...
A Philosophy of Security Architecture Design
Abstract
Digital systems are almost always vulnerable, yet we increasingly depend on these systems. There will be many threats towards these system. In a fully networked system, the vulnerabilities will literally be exposed to the whole world. The exposed ...

Comments

Information & Contributors

Information

Published In

SPLC '22: Proceedings of the 26th ACM International Systems and Software Product Line Conference - Volume B

September 2022

246 pages

ISBN:9781450392068

DOI:10.1145/3503229

General Chairs:
Alexander Felfernig
Graz University of Technology, Austria
,
Lidia Fuentes
University of Málaga, Spain

© 2022 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 September 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

COPERNICA
METAMORFOSIS
AETHER-US

Conference

SPLC '22

Sponsor:

SIGSOFT

SPLC '22: 26th ACM International Systems and Software Product Line Conference

September 12 - 16, 2022

Graz, Austria

Acceptance Rates

SPLC '22 Paper Acceptance Rate 14 of 41 submissions, 34%;

Overall Acceptance Rate 167 of 463 submissions, 36%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
112
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Germán Márquez AVarela-Vaca ÁGómez López MGalindo JBenavides D(2024)Vulnerability impact analysis in software project dependencies based on Satisfiability Modulo Theories (SMT)Computers and Security10.1016/j.cose.2023.103669139:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103669
Galindo JHorcas JFelferning AFernandez-Amoros DBenavides D(2023)FLAMAProceedings of the 27th ACM International Systems and Software Product Line Conference - Volume B10.1145/3579028.3609008(16-19)Online publication date: 28-Aug-2023
https://dl.acm.org/doi/10.1145/3579028.3609008

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Prevention of Cyber-Attacks and Privacy Breaches in Healthcare Sector

Vulnerability Prioritization, Root Cause Analysis, and Mitigation of Secure Data Analytic Framework Implemented with MongoDB on Singularity Linux Containers

A Philosophy of Security Architecture Design

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations