Abstract
Software systems are invariably vulnerable to exploits, thus the need to assess their security in order to quantify the associated risk their usage entails. However, existing vulnerability assessment approaches e.g., vulnerability analyzers, have two major constraints: (a) they need the system to be already deployed to perform the analysis and, (b) they do not consider the criticality of the system within the business processes of the organization. As a result, many users, in particular small and medium-sized enterprizes are often unaware about assessing the actual technical and economical impact of vulnerability exploits in their own organizations, before the actual system’s deployment. Drawing upon threat modeling techniques (i.e., attack trees), we propose a user-centric methodology to quantitatively perform a software configuration’s security assessment based on (i) the expected economic impact associated with compromising the system’s security goals and, (ii) a method to rank available configurations with respect to security. This paper demonstrates the feasibility and usefulness of our approach in a real-world case study based on the Amazon EC2 service. Over 2000 publicly available Amazon Machine Images are analyzed and ranked with respect to a specific business profile, before deployment in the Amazon’s Cloud.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
NVD, National Vulnerability Database (2013), http://nvd.nist.gov/
OSVDB, The Open Source Vulnerability Database (2012), http://osvdb.org/
OpenVAS, Open Vulnerability Assessment System (2013), http://www.openvas.org/
Tenable Network Security, Nessus vulnerability scanner (2013), http://www.tenable.com/products/nessus
Fruehwirth, C., et al.: Improving CVSS-based vulnerability prioritization and response with context. In: Proc. of Third International Symposium on Empirical Software Engineering and Measurement (2009)
Ishiguro, M., et al.: The effect of information security incidents on corporate values in the japanese stock market. In: Proc. of International Workshop on the Economics of Securing the Information Infrastructure, WESII (2006)
Telang, R., et al.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. Proc. of IEEE Transactions on Software Engineering (2007)
Lai, Y., et al.: Using the vulnerability information of computer systems to improve the network security. Computer Communications (2007)
Saaty, T.: Book: The Analytic Hierarchy Process. McGraw-Hill, New York (1980)
Triantaphyllou, E.: The impact of aggregating benefit and cost criteria in four mcda methods. IEEE Transactions on Engineering Management (2004)
Balduzzi, M., et al.: A security analysis of Amazon’s Elastic Compute Cloud service. In: Proc. of the Annual ACM Symposium on Applied Computing (2012)
Schneier, B.: Attack trees. Dr Dobb’s 24(12) (1999), http://www.schneier.com/paper-attacktrees-ddj-ft.html
Swiderski, F., Snyder, W.: Book: Threat Modeling. Microsoft Press (2004)
Department of Homeland Security, Attack Patterns (2009), https://buildsecurityin.us-cert.gov/
SHIELDS, EU FP 7 – SHIELDS project: Detecting known security vulnerabilities from within design and development tools (2010), http://www.shields-project.eu/
RPM ORG, The RPM package manager (2007), http://rpm.org/
Ghani, H., et al.: Predictive vulnerability scoring in the context of insufficient information availability. In: Proc. of the Intl. Conference on Risk and Security of Internet and Systems, CRiSIS (2013)
Forum of Incident Response and Security Teams, CVSS – Common Vulnerability Scoring System (2012), http://www.first.org/cvss/
Luna, J., et al.: Privacy-by-design based on quantitative threat modeling. In: Proc. of the Intl. Conference on Risk and Security of Internet and Systems (2012)
Luna, J., et al.: Benchmarking Cloud Security Level Agreements Using Quantitative Policy Trees. In: Proc. of the ACM Cloud Computing Security Workshop (2012)
Symantec, Ponemon Institute, Data Breach Calculator (2013), https://databreachcalculator.com
Innerhofer, F., et al.: An empirically derived loss taxonomy based on publicly known security incidents. In: Proc. of Intl. Conf. on Availability, Reliability and Security, ARES (2009)
Van Eeten, M., et al.: Damages from internet security incidents. OPTA Research reports (2009), http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3083
Ghani, H., et al.: Quantitative assessment of software vulnerabilities based on economic-driven security metrics. In: Proc. of the Intl. Conference on Risk and Security of Internet and Systems, CRiSIS (2013)
Forum of Incident Response and Security Teams, CVSS Adopters (2013), http://www.first.org/cvss/eadopters.html.
Scarfone, K., Mell, P.: An analysis of CVSS version 2 vulnerability scoring. In: Intl. Symposium on Empirical Software Engineering and Measurement, ESEM (2009)
Saaty, T.: Book: Fundamentals of decision making and priority theory with the analytic hierarchy process. RWS Publications, Pittsburgh (1994)
Zeleny, M.: Book: Multiple Criteria Decision Making. McGraw-Hill (1982)
NIST, CPE – Official Common Platform Enumeration Dictionary (2013), http://nvd.nist.gov/cpe.cfm
SANS-Institute, SANS critical vulnerability analysis archive (2007), http://www.sans.org/newsletters/cva/
Johnson, E., et al.: Symantec global internet security threat report (2008), http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf
Microsoft, Microsoft security response center - security bulletin severity rating system (2007), http://www.microsoft.com/technet/security/bulletin/rating.mspx ,
Mell, P., et al.: Common vulnerability scoring system. IEEE Security and Privacy 4, 85–89 (2006)
Rieke, R.: Modelling and analysing network security policies in a given vulnerability setting. Critical Information Infrastructures Security (2006)
Eschelbeck, G.: The laws of vulnerabilities: Which security vulnerabilities really matter. Information Security Technical Report (2005)
Chen, Y.: Stakeholder value driven threat modeling for off the shelf based systems (2007)
Liu, N., et al.: Security assessment for communication networks of power control systems using attack graph and mcdm. IEEE Transactions on Power Delivery (2010)
Ni, M., et al.: Online risk-based security assessment. IEEE Transactions on Power Systems (2003)
Rezmierski, V., et al.: Incident cost analysis and modeling project (i-camp). Technical Report, Higher Education Information Security Council, HEISC (2000)
Allied World Assurance, Tech404 Data Loss Cost Calculator (2013), http://www.tech-404.com/calculator.html
Anderson, R., et al.: Measuring the cost of cybercrime. In: Proc. of Workshop on the Economics of Information Security, WEIS (2012)
Detica and C. Office, The cost of cyber crime: joint government and industry report. In: Detica Report (2012), https://www.gov.uk/government/publications/the-cost-of-cyber-crime-joint-government-and-industry-report
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Ghani, H., Luna Garcia, J., Petkov, I., Suri, N. (2014). User-Centric Security Assessment of Software Configurations: A Case Study. In: Jürjens, J., Piessens, F., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2014. Lecture Notes in Computer Science, vol 8364. Springer, Cham. https://doi.org/10.1007/978-3-319-04897-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-04897-0_13
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04896-3
Online ISBN: 978-3-319-04897-0
eBook Packages: Computer ScienceComputer Science (R0)