Assessing the risk of using vulnerable components

Balzarotti, Davide; Monga, Mattia; Sicari, Sabrina

doi:10.1007/978-0-387-36584-8_6

Davide Balzarotti⁴,
Mattia Monga⁵ &
Sabrina Sicari⁶

Part of the book series: Advances in Information Security ((ADIS,volume 23))

912 Accesses
12 Citations

Abstract

This paper discusses how information about the architecture and the vulnerabilities affecting a distributed system can be used to quantitatively assess the risk to which the system is exposed. Our approach to risk evaluation can be used to assess how much one should believe in system trustworthiness and to compare different solutions, providing a tool for deciding if the additional cost of a more secure component is worth to be afforded.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 169.00; Price excludes VAT (USA)

Softcover Book: USD 219.99; Price excludes VAT (USA)

Hardcover Book: USD 219.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Christopher Alberts, Audree Dorofee, James Stevens, and Carol Woody. Introduction to the Octave approach, http://www.cert.org/octave/, 2003.
Richard Baskerville. Information system security design methods: Implications for information systems development. ACM Computing Survey, 25(4):375–412, 1993.
Article Google Scholar
Gautam Biswas, Kenneth A. Debelak, and Kazuhiko Kawamura. Application of qualitative modelling to knoweledge-based risk assessment studies. IEA/AIE ‘89: Second International Conference on Industrial & Engineering Applications of Artificial Intelligence & Expert Systems-ACM, pages 92–101, 1989.
Google Scholar
B. Jenkins. Risk analysis helps establish a good security posture; risk management keeps it that way. whitepaper, pages 1–16, 1998.
Google Scholar
Harvey M. Deitel, Paul J. Deitel, B. DuWaldt, and L. K. Trees. Web Services: A Technical Introduction. Prentice Hall, 2002.
Google Scholar
Zaid Dwaikat and Francesco Parisi-Presicce. Risky trust: Risk-based analysis of software system. Proceedings of the first workshop on Software Engineering for Secure Systems (SESS05).
Google Scholar
S. Evans, D. Heinbuch, E Kyle, J. Piorkowski,and J. Wallener. Risk-based system security engineering: Stopping attacks with intention. IEEE Security & Privacy, pages 59–62, 2004.
Google Scholar
Network Working Group. Internet security glossary, http://rfc.net/rfc2828.html, May 2000. Request for Comments: 2828.
Michael Howard and David Leblanc. Writing secure Code. Microsoft Press, 2003.
Google Scholar
Khaled Khan, Jun Han, and Yuliang Zheng. A framework for an active interface to characterize compositional security contracts of software components. 2001 Australian Software Engineering Conference (ASWECOl)-IEEE Computer Society Press, pages 117–126.
Google Scholar
I.S. Moskowitz and M.H. Kang. An insecurity flow model. Proceedings of New Security Paradigms workshop, 1997.
Google Scholar
S. Noel, S. Jajoidia, B. O‘Berry, and M. Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. Proceedings of ACSAC‘03.
Google Scholar
M. Elisabeth Pate-Cornell. Fault tree vs. event trees in reliability analysis. Risk Analysis, 4(3): 177–186, 1984.
Article Google Scholar
Mehmet Sahinoglu. Security meter:a pratical decision-tree model to quantify risk. IEEE Security & Privacy,3(3): 18–24, May/June 2005.
Google Scholar
Bruce Schneier. Modelling security threats. Dr. Dobb’s Journal, dec 1999.
Google Scholar
Gunter P. Sharp, Philip H. Enslow, Shamkant B. Navathe, and Fariborz Farhmand. Managing vulnerabilities of information system to security incindets. ACM International Conference: 5th international conference on Electronic commerce, pages 348–354, 2003.
Google Scholar
O. Sheyner, J. Haines, S.Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P‘02).
Google Scholar
Thomas Siu. Risk-eye for IT security guy. Gsec, pages 1–20, 2004.
Google Scholar

Download references

Author information

Authors and Affiliations

Dip. di Elettronica e Informazione - Piazza Leonardo da Vinci, 32, Politecnico di Milano, I 20133, Milan, Italy
Davide Balzarotti
Dip. di Informatica e Comunicazione - Via Comelico, 39, Università degli Studi di Milano, I 20135, Milan, Italy
Mattia Monga
Dip. di Ing. Informatica e delle Telecomunicazioni, Università di Catania, Viale Andrea Doria 6, 1-95125, Catania, Italy
Sabrina Sicari

Authors

Davide Balzarotti
View author publications
You can also search for this author in PubMed Google Scholar
Mattia Monga
View author publications
You can also search for this author in PubMed Google Scholar
Sabrina Sicari
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Institute Security in Distributed Applications, TU Hamburg-Harburg, Harburger Schloßstraße 20, 21079, Hamburg, Germany
Dieter Gollmann
Dipartimento Informatica e Telecomunicazioni (DIT), University of Trento, Via Sommarive, 14 38050, Trento, Italy
Fabio Massacci & Artsiom Yautsiukhin &

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Balzarotti, D., Monga, M., Sicari, S. (2006). Assessing the risk of using vulnerable components. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_6

Download citation

DOI: https://doi.org/10.1007/978-0-387-36584-8_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29016-4
Online ISBN: 978-0-387-36584-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics