Categorization of software errors that led to security breaches (original) (raw)
Related papers
1996
Security in computer systems is important soasto ensure reliable operation and to protect the integrity of stored information. Faults in the implementation of critical components can be exploited to breach security and penetrate a system. These faults must be identi ed, detected, and corrected to ensure reliability and safeguard against denial of service, unauthorized modi cation of data, or disclosure of information. We define a classification of security faults in the Unix operating system. We state the criteria used to categorize the faults and present examples of the di erent fault types. We present the design and implementation details of a prototype database to store vulnerability information collected from different sources. The data is organized according to our fault categories. The information in the database can be applied in static audit analysis of systems, intrusion detection, and fault detection. We also identify and describe software testing methods that should be ef...
Security vulnerability categories in major software systems
… , Network, and Information …, 2006
The security vulnerabilities in software systems can be categorized by either the cause or severity. Several software vulnerabilities datasets for major operating systems and web servers are examined. The goal is to identify the attributes of each category that can potentially be exploited for enhancing security. Linking a vulnerability type to a severity level can help us prioritize testing to develop more effective testing plans. Instead of using an ad hoc security testing approach, testing can be directed to vulnerabilities with higher risk. ...
Use of a taxonomy of security faults
1996
Security in computer systems is impodant so as to ensure reliable operation and to protect the integrity of stored information. Faults in the implementation of critical components can be exploited to breach se-curity and penetrate a system. These faults must he identified, detected, and corrected to ensure reliabil-ity and safeguard against denial of service, unautho-rized modification of data, or disclosure of information.
A Survey on Taxonomies of Attacks and Vulnerabilities in Computer Systems
2012
Security evaluation of a system is a complicated problem. The majority of the recent efforts in Security evaluation involve for discovering well-known Vulnerabilities. Discovering unidentified Vulnerabilities yet mostly remains a subjective procedure. The procedure knows how to be improved by considering the Characteristics and behavior of well-known Vulnerabilities. The information therefore obtained knows how to be planned into an appropriate Taxonomy, and then can be used as a structure for systematically and investigating new Systems for related however at the same time as yet unidentified Vulnerabilities. There have been several efforts at producing such Taxonomies. This paper offers a detailed review of the significant work done on developing Taxonomies of Attacks and Vulnerabilities in Computer Systems. This review covers work done in security related taxonomies. Apart from giving a state of the art review of Taxonomies, furthermore we examine their efficiency for use in a se...
A Suite of Metrics for Calculating the Most Signifcant Security Relevant Software Flaw Types
The Common Weakness Enumeration (CWE) is a prominent list of software weakness types. This list is used by vulnerability databases to describe the underlying security faws within analyzed vulnerabilities. This linkage opens the possibility of using the analysis of software vulnerabilities to identify the most signifcant weaknesses that enable those vulnerabilities. We accomplish this through creating mashup views combining CWE weakness taxonomies with vulnerability analysis data. The resulting graphs have CWEs as nodes, edges derived from multiple CWE taxonomies, and nodes adorned with vulnerability analysis information (propagated from children to parents). Using these graphs, we develop a suite of metrics to identify the most signifcant weakness types (using the perspectives of frequency, impact, exploitability, and overall severity).
Understanding Vulnerabilities by Refining Taxonomy
Since early 90s, experts have proposed various ways to prevent exploitations and avoid releasing software with vulnerabilities. One way is through educating developers with information on known vulnerabilities using taxonomy of vulnerabilities as a guide. However, the guide using taxonomy of vulnerabilities has not shown to mitigate the issues. One possibility is due to the existence of gaps in producing the right and comprehensive taxonomy for software vulnerabilities. We studied various available taxonomies on software vulnerabilities. In this paper we propose and discuss our own criteria for taxonomy of software vulnerabilities with some improvement with particular emphasis on C programming.
A Suite of Metrics for Calculating the Most Significant Security Relevant Software Flaw Types
2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC)
The Common Weakness Enumeration (CWE) is a prominent list of software weakness types. This list is used by vulnerability databases to describe the underlying security flaws within analyzed vulnerabilities. This linkage opens the possibility of using the analysis of software vulnerabilities to identify the most significant weaknesses that enable those vulnerabilities. We accomplish this through creating mashup views combining CWE weakness taxonomies with vulnerability analysis data. The resulting graphs have CWEs as nodes, edges derived from multiple CWE taxonomies, and nodes adorned with vulnerability analysis information (propagated from children to parents). Using these graphs, we develop a suite of metrics to identify the most significant weakness types (using the perspectives of frequency, impact, exploitability, and overall severity).
A Classification of Software Vulnerabilities That Result From Incorrect Environmental Assumptions
The consequences of a class of system failures, commonly known as software vulnerabilities, violate security policies. They can cause the loss of information and reduce the value or usefulness of the system. An increased understanding of the nature of vulnerabilities, their manifestations, and the mechanisms that can be used to eliminate and prevent them can be achieved by the development of a unified definition of software vulnerabilities, and the development of a framework for the creation of taxonomies for ...