liu.seSearch for publications in DiVA
ReferencesLink to record
Permanent link

Direct link
Improving Software Security by Preventing Known Vulnerabilities
2013 (English)Doktorsavhandling, monografi (Other academic)
Abstract [en]

From originally being of little concern, security has become a crucial quality factor in modern software. The risk associated with software insecurity has increased dramatically with increased reliance on software and a growing number of threat agents. Nevertheless, developers still struggle with security. It is often an afterthought, bolted on late in development or even during deployment. Consequently the same kinds of vulnerabilities appear over and over again.

Building security in to software from its inception and constantly adapting processes and technology to changing threats and understanding of security can significantly contribute to establishing and sustaining a high level of security.

This thesis presents the sustainable software security process, the S3P, an approach to software process improvement for software security that focuses on preventing known vulnerabilities by addressing their underlying causes, and sustaining a high level of security by adapting the process to new vulnerabilities as they become known. The S3P is designed to overcome many of the known obstacles to software process improvement. In particular, it ensures that existing knowledge can be used to its full potential and that the process can be adapted to nearly any environment and used in conjunction with other other software security processes and security assurance models.

The S3P is a three-step process based on semi-formal modeling of vulnerabilities, ideally supported by collaborative tools. Such proof-of-concept tools were developed for all parts of the process as part of the SHIELDS project.

The first two steps of the S3P consist in determining the potential causes of known vulberabilities at all stages of software development, then identifying measures that would prevent each individual cause. These steps are performed using visual modeling languages with well-defined semantics and a modeling workflow. With tool support, modeling effort can be progressively reduced through collaboration and use of pre-existing models.

Next, the costs of all potential measures are estimated using any suitable method. This thesis uses pairwise comparisons in order to support qualitative judgements. The models and costs yield a boolan optimization problem that is solved using a search-based heuristic, to identify the best set of measures to prevent selected vulnerabilities.

Empirical evaluation of the various steps of the process has verified a number of key aspects: the modeling process is easy to learn and apply, and the method is perceived by developers as providing value and improving security. Early evaluation results were also used to refine certain aspects of the S3P.

The modeling languages that were introduced in the S3P have since been enhanced to support other applications. This thesis presents security goal models (SGMs), a language that subsumes several security-related modeling languages to unify modeling of threats, attacks, vulnerabilities, activities, and security goals. SGMs have formal semantics and are sufficiently expressive to  support applications as diverse as automatic run-time testing, static analysis, and code inspection. Proofof-concept implementations of these applications were developed as part of the SHIELDS project.

Finally, the thesis discusses how individual components of the S3P can be used in situations where the full process is inappropriate.

Place, publisher, year, pages
Linköping: Linköping University Electronic Press, 2013. 189 p.
Series
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 1481
Keyword [en]
Software security, software process improvement
National Category
Software Engineering
Identifiers
urn:nbn:se:liu:diva-84863 (URN)978-91-7519-784-5 (ISBN)oai:DiVA.org:liu-84863 (OAI)
Public defence
2013-01-15, Visionen, Hus B, Capus Valla, Linköpings University, Linköping, 13:00 (English)
Opponent
Supervisors
Funder
EU, FP7, Seventh Framework ProgrammeVinnova
Available from2012-12-03 Created:2012-10-25 Last updated:2012-12-10Bibliographically approved

Open Access in DiVA

cover(99 kB)98 downloads
File information
File name COVER01.pdfFile size 99 kBChecksum SHA-512
d650dbb47e9bb987240865f71dbee2cd86e0285e5825c1f2bb4d28233452b85ae8c6ee634f8c604d69f1cb997069ef0de892f5a3ac0ba3bcd0fb6b13fc90150e
Typ coverMimetype application/pdf

Search in DiVA

By author/editor
Byers, David
By organisation
Database and information techniquesThe Institute of Technology
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available
Totalt: 704 hits
ReferencesLink to record
Permanent link

Direct link