liu.seSök publikationer i DiVA
Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
Improving Software Security by Preventing Known Vulnerabilities
Linköpings universitet, Institutionen för datavetenskap, Databas och informationsteknik. Linköpings universitet, Tekniska högskolan.
2013 (Engelska)Doktorsavhandling, monografi (Övrigt vetenskapligt)
Abstract [en]

From originally being of little concern, security has become a crucial quality factor in modern software. The risk associated with software insecurity has increased dramatically with increased reliance on software and a growing number of threat agents. Nevertheless, developers still struggle with security. It is often an afterthought, bolted on late in development or even during deployment. Consequently the same kinds of vulnerabilities appear over and over again.

Building security in to software from its inception and constantly adapting processes and technology to changing threats and understanding of security can significantly contribute to establishing and sustaining a high level of security.

This thesis presents the sustainable software security process, the S3P, an approach to software process improvement for software security that focuses on preventing known vulnerabilities by addressing their underlying causes, and sustaining a high level of security by adapting the process to new vulnerabilities as they become known. The S3P is designed to overcome many of the known obstacles to software process improvement. In particular, it ensures that existing knowledge can be used to its full potential and that the process can be adapted to nearly any environment and used in conjunction with other other software security processes and security assurance models.

The S3P is a three-step process based on semi-formal modeling of vulnerabilities, ideally supported by collaborative tools. Such proof-of-concept tools were developed for all parts of the process as part of the SHIELDS project.

The first two steps of the S3P consist in determining the potential causes of known vulberabilities at all stages of software development, then identifying measures that would prevent each individual cause. These steps are performed using visual modeling languages with well-defined semantics and a modeling workflow. With tool support, modeling effort can be progressively reduced through collaboration and use of pre-existing models.

Next, the costs of all potential measures are estimated using any suitable method. This thesis uses pairwise comparisons in order to support qualitative judgements. The models and costs yield a boolan optimization problem that is solved using a search-based heuristic, to identify the best set of measures to prevent selected vulnerabilities.

Empirical evaluation of the various steps of the process has verified a number of key aspects: the modeling process is easy to learn and apply, and the method is perceived by developers as providing value and improving security. Early evaluation results were also used to refine certain aspects of the S3P.

The modeling languages that were introduced in the S3P have since been enhanced to support other applications. This thesis presents security goal models (SGMs), a language that subsumes several security-related modeling languages to unify modeling of threats, attacks, vulnerabilities, activities, and security goals. SGMs have formal semantics and are sufficiently expressive to  support applications as diverse as automatic run-time testing, static analysis, and code inspection. Proofof-concept implementations of these applications were developed as part of the SHIELDS project.

Finally, the thesis discusses how individual components of the S3P can be used in situations where the full process is inappropriate.

Ort, förlag, år, upplaga, sidor
Linköping: Linköping University Electronic Press, 2013. , s. 189
Serie
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 1481
Nyckelord [en]
Software security, software process improvement
Nationell ämneskategori
Programvaruteknik
Identifikatorer
URN: urn:nbn:se:liu:diva-84863ISBN: 978-91-7519-784-5 (tryckt)OAI: oai:DiVA.org:liu-84863DiVA, id: diva2:573750
Disputation
2013-01-15, Visionen, Hus B, Capus Valla, Linköpings University, Linköping, 13:00 (Engelska)
Opponent
Handledare
Forskningsfinansiär
EU, FP7, Sjunde ramprogrammet, 215995VinnovaTillgänglig från: 2012-12-03 Skapad: 2012-10-25 Senast uppdaterad: 2018-01-12Bibliografiskt granskad

Open Access i DiVA

omslag(99 kB)139 nedladdningar
Filinformation
Filnamn COVER01.pdfFilstorlek 99 kBChecksumma SHA-512
d650dbb47e9bb987240865f71dbee2cd86e0285e5825c1f2bb4d28233452b85ae8c6ee634f8c604d69f1cb997069ef0de892f5a3ac0ba3bcd0fb6b13fc90150e
Typ coverMimetyp application/pdf

Personposter BETA

Byers, David

Sök vidare i DiVA

Av författaren/redaktören
Byers, David
Av organisationen
Databas och informationsteknikTekniska högskolan
Programvaruteknik

Sök vidare utanför DiVA

GoogleGoogle Scholar
Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

isbn
urn-nbn

Altmetricpoäng

isbn
urn-nbn
Totalt: 1568 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf