A Classi cation of Software Vulnerabilities That Result From Incorrect Environmental Assumptions (original) (raw)
Related papers
Understanding Vulnerabilities by Refining Taxonomy
Since early 90s, experts have proposed various ways to prevent exploitations and avoid releasing software with vulnerabilities. One way is through educating developers with information on known vulnerabilities using taxonomy of vulnerabilities as a guide. However, the guide using taxonomy of vulnerabilities has not shown to mitigate the issues. One possibility is due to the existence of gaps in producing the right and comprehensive taxonomy for software vulnerabilities. We studied various available taxonomies on software vulnerabilities. In this paper we propose and discuss our own criteria for taxonomy of software vulnerabilities with some improvement with particular emphasis on C programming.
Security vulnerability categories in major software systems
… , Network, and Information …, 2006
The security vulnerabilities in software systems can be categorized by either the cause or severity. Several software vulnerabilities datasets for major operating systems and web servers are examined. The goal is to identify the attributes of each category that can potentially be exploited for enhancing security. Linking a vulnerability type to a severity level can help us prioritize testing to develop more effective testing plans. Instead of using an ad hoc security testing approach, testing can be directed to vulnerabilities with higher risk. ...
A Survey on Taxonomies of Attacks and Vulnerabilities in Computer Systems
2012
Security evaluation of a system is a complicated problem. The majority of the recent efforts in Security evaluation involve for discovering well-known Vulnerabilities. Discovering unidentified Vulnerabilities yet mostly remains a subjective procedure. The procedure knows how to be improved by considering the Characteristics and behavior of well-known Vulnerabilities. The information therefore obtained knows how to be planned into an appropriate Taxonomy, and then can be used as a structure for systematically and investigating new Systems for related however at the same time as yet unidentified Vulnerabilities. There have been several efforts at producing such Taxonomies. This paper offers a detailed review of the significant work done on developing Taxonomies of Attacks and Vulnerabilities in Computer Systems. This review covers work done in security related taxonomies. Apart from giving a state of the art review of Taxonomies, furthermore we examine their efficiency for use in a se...
Maintaining software with a security perspective
International Conference on Software Maintenance, 2002. Proceedings., 2002
Testing for software security is a lengthy, complex and costly process. Currently, security testing is done using penetration analysis and formal verification of security kernels. These methods are not complete and are difficult to use. Hence it is essential to focus testing effort in areas that have a greater number of security vulnerabilities to develop secure software as well as meet budget and time constraints. We propose a testing strategy based on a classification of vulnerabilities to develop secure and stable systems. This taxonomy will enable a system testing and maintenance group to understand the distribution of security vulnerabilities and prioritize their testing effort according to the impact the vulnerabilities have on the system. This is based on Landwehr's classification scheme for security flaws and we evaluated it using a database of 1360 operating system vulnerabilities. This analysis indicates vulnerabilities tend to be focused in relatively few areas and associated with a small number of software engineering issues.
Software Security: A Risk Taxonomy
The implementation of software has been challenging for many organizations. As given in the many reports of important failures, the implementation of packaged software and associated changes in business processes has proved not to be an easy mission. As many organizations have discovered, the implementation of software’s systems can be an enormous disaster unless the process is managed cautiously. By calculating and minimizing the major business risks in the first illustration, the scene can be set for the successful performance of software’s organization. Almost every software controlled system faces risk from potential adversaries. Software engineers must be cognizant of these security risk and engineer systems with probable defenses, as still delivering value to customers is priority of an organization.Software security risk management and security assessments essentials reproduces several influences. The maximum documentation arrival on security holders encloses the value to cus...
Assessing Vulnerabilities in Software Systems: A Quantitative
2006
Security and reliability are two of the most important attributes of complex software systems. It is now common to use quantitative methods for evaluating and managing reliability. Software assurance requires similar quantitative assessment of software security, however only limited work has been done on quantitative aspects of security. The analogy with software reliability can help developing similar measures for software security. However, there are significant differences that need to be identified and appropriately acknowledged. This work examines the feasibility of quantitatively characterizing major attributes of security using its analogy with reliability. In particular, we investigate whether it is possible to predict the number of vulnerabilities that can potentially be identified in a current or future release of a software system using analytical modeling techniques. Datasets from several major complex software systems have been collected and analyzed, they represent both open-source and proprietary software systems. They include most of the major operating systems, web servers, and web browsers currently in use. The data about vulnerabilities discovered in these software systems are analyzed to identify trends and the goodness of fit with the proposed models is statistically examined. Vulnerability datasets are examined to determine if the vulnerability density in a program is a practical and useful measure. We attempt to identify the quantitative relationship between software defects and vulnerabilities. The results indicate that
1996
Security in computer systems is important soasto ensure reliable operation and to protect the integrity of stored information. Faults in the implementation of critical components can be exploited to breach security and penetrate a system. These faults must be identi ed, detected, and corrected to ensure reliability and safeguard against denial of service, unauthorized modi cation of data, or disclosure of information. We define a classification of security faults in the Unix operating system. We state the criteria used to categorize the faults and present examples of the di erent fault types. We present the design and implementation details of a prototype database to store vulnerability information collected from different sources. The data is organized according to our fault categories. The information in the database can be applied in static audit analysis of systems, intrusion detection, and fault detection. We also identify and describe software testing methods that should be ef...
Computer Vulnerability Analysis: Thesis Proposal
1997
Computer security professionals and researchers do not have a history of sharing and analyzing computer vulnerability information. Scientists and engineers from older or more established fields have long understood that publicizing, analyzing, and learning from other people's mistakes is essential to the stepwise refinement of complex systems. Computer scientists, however, have not followed suit. Programmers reinvent classical programming mistakcs, contributing to the reappearance of known vulnerabilities. In the recent past, complltcr systems have come to be a part of critical systems that have a direct effect on the safety and well-being of human beings and hence we must have lower tolerance for software failures. In the dissedation I will attempt to show that computer vulnerability information presents important regularities and these can be detected, and possibly visualized, providing important insight about the reason of their prevalence and existence. The information deriv...