The Evolution of a Security Control

  • Olgierd PieczulEmail author
  • Simon N. Foley
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10368)


The evolution of security defenses in a contemporary open-source software package is considered over a twelve year period. A qualitative analysis style study is conducted that systematically analyzes security advisories, codebase revisions and related discussions. A number of phenomena emerge from this analysis that provide insights into the process of managing code-level security defenses.


This work was supported, in part, by Science Foundation Ireland under grant SFI/12/RC/2289 and Irish Research Council/Chist-ERA.


  1. 1.
    Massacci, F., Neuhaus, S., Nguyen, V.H.: After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 195–208. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19125-1_15 CrossRefGoogle Scholar
  2. 2.
    Mitropoulos, D., Karakoidas, V., Louridas, P., Gousios, G., Spinellis, D.: Dismal code: Studying the evolution of security bugs. In: Proceedings of the LASER 2013 (LASER 2013), Arlington, VA, pp. 37–48. USENIX (2013)Google Scholar
  3. 3.
    Davidson, D.: Ognl language guide (2004)Google Scholar
  4. 4.
    Kydyraliev, M.: CVE-2010-1870: Struts2/XWork remote command execution. o0o Security Team blog (2010). Accessed 21 Jan 2016
  5. 5.
    Kydyraliev, M.: CVE-2011-3923: Yet another Struts2 Remote Code Execution. o0o Security Team blog (2011). Accessed 21 Jan 2016
  6. 6.
    Long, J.: Struts 2 Session Tampering via SessionAware/RequestAware WW-3631. Code Secure blog (2011). Accessed 21 Jan 2016
  7. 7.
    Ashraf, Z.: Analysis of recent struts vulnerabilities in parameters and cookie interceptors, their impact and exploitation. IBM Security Intelligence portal (2014). Accessed 21 Jan 2016Google Scholar
  8. 8.
    Pieczul, O., Foley, S.N.: The dark side of the code. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 1–11. Springer, Cham (2015). doi: 10.1007/978-3-319-26096-9_1 CrossRefGoogle Scholar
  9. 9.
    Dahse, J.: Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java (2011). Accessed 21 Jan 2016Google Scholar
  10. 10.
    Oliveira, D., et al.: It’s the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developer’s blind spots. In: Proceedings of the Annual Computer Security Applications Conference (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Ireland LabIBMDublinIreland
  2. 2.Department of Computer ScienceUniversity College CorkCorkIreland

Personalised recommendations