Software Selection based on Quantitative Security Risk Assessment

software products often exist on the same server and therefore vulnerability in one product might compromise the entire system. It is imperative to perform a security risk assessment during the selection of the candidate software products that become part of a larger system. Having a quantitative security risk assessment model provides an objective criterion for such assessment and comparison between candidate software systems. In this paper, we present a software product evaluation method using such a quantitative security risk assessment model. This method utilizes prior research in quantitative security risk assessment, which is based on empirical data from the National Vulnerability Database (NVD), and compares the security risk levels of the products evaluated. We introduced topic modeling to build a security risk assessment model. The risk model is created using Latent Dirichlet Allocation (LDA) to classify the vulnerabilities into topics, which are then used as the measurement instruments to evaluate the candidate software product. Such a procedure could supplement the existing selection process, to assist the decision makers to evaluate open-source software (OSS) systems, to ensure that it is safe and secure enough to be put into their environment. Finally, the procedure is demonstrated using an experimental case study.

[1]  Xin Chen,et al.  Probabilistic topic modeling for genomic data interpretation , 2010, 2010 IEEE International Conference on Bioinformatics and Biomedicine (BIBM).

[2]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[3]  Engin Kirda,et al.  Have things changed now? An empirical study on input validation vulnerabilities in web applications , 2012, Comput. Secur..

[4]  Siv Hilde Houmb,et al.  Quantifying security risk level from CVSS estimates of frequency and impact , 2010, J. Syst. Softw..

[5]  Thomas Zimmermann,et al.  Security Trend Analysis with CVE Topic Models , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[6]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[7]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[8]  Hao Wang,et al.  Ontology-based security assessment for software products , 2009, CSIIRW '09.

[9]  Gary Anthes,et al.  Topic models vs. unstructured data , 2010, Commun. ACM.

[10]  Tim Robertson,et al.  INCOSE Systems Engineering Handbook , 1998 .

[11]  Juhani Iivari,et al.  Action research and design science research - Seemingly similar but decisively dissimilar , 2009, ECIS.

[12]  Kuan-Yu Chen,et al.  Latent topic modeling of word vicinity information for speech recognition , 2010, 2010 IEEE International Conference on Acoustics, Speech and Signal Processing.

[13]  Oyvind Hauge,et al.  An empirical study on selection of Open Source Software - Preliminary results , 2009, 2009 ICSE Workshop on Emerging Trends in Free/Libre/Open Source Software Research and Development.

[14]  Fabio Stella,et al.  Automatic Labeling of Topics , 2009, 2009 Ninth International Conference on Intelligent Systems Design and Applications.

[15]  HyunChul Joh,et al.  Quantitative analyses of software vulnerabilities , 2007 .

[16]  Michael W. Godfrey,et al.  Automated topic naming to support cross-project analysis of software maintenance activities , 2011, MSR '11.

[17]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[18]  D. Childs Information technology security system engineering methodology , 2003, 2003 IEEE Aerospace Conference Proceedings (Cat. No.03TH8652).

[19]  Laurie A. Williams,et al.  One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques , 2011, 2011 International Symposium on Empirical Software Engineering and Measurement.

[20]  Hao Wang,et al.  Measuring Similarity for Security Vulnerabilities , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[21]  Guido Schryen,et al.  Open source vs. closed source software: towards measuring security , 2009, SAC '09.

[22]  Henrique Madeira,et al.  Benchmarking the Security of Web Serving Systems Based on Known Vulnerabilities , 2011, 2011 5th Latin-American Symposium on Dependable Computing.

[23]  Richard N. Taylor,et al.  Software traceability with topic modeling , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[24]  Tomi Männistö,et al.  Improving CVSS-based vulnerability prioritization and response with context information , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[25]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[26]  Sung Yul Rhew,et al.  A Quality Model for Open Source Software Selection , 2007, Sixth International Conference on Advanced Language Processing and Web Information Technology (ALPIT 2007).

[27]  Norman F. Schneidewind Methods for assessing COTS reliability, maintainability, and availability , 1998, Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272).

[28]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[29]  Yun Liu,et al.  A Software Security Assessment System Based On Analysis of Vulnerabilities , 2012 .

[30]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[31]  Daniel Gatica-Perez,et al.  Modeling Flickr Communities Through Probabilistic Topic-Based Analysis , 2010, IEEE Transactions on Multimedia.

[32]  Jennifer L. Bayuk Systems Security Engineering , 2011, IEEE Security & Privacy.

[33]  Ahmed E. Hassan,et al.  Validating the Use of Topic Models for Software Evolution , 2010, 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation.

[34]  Hao Wang,et al.  Security metrics for software systems , 2009, ACM-SE 47.

[35]  Juan E. Gilbert,et al.  Quantitative software security risk assessment model , 2007, QoP '07.

[36]  R. A. Khan,et al.  Secure software development: a prescriptive framework , 2011 .

[37]  Xin Wang,et al.  Research on technologies in quantitative risk assessment and forcast of network security , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[38]  Sushil Krishna Bajracharya,et al.  Mining concepts from code with probabilistic topic models , 2007, ASE.

[39]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[40]  David M. Blei,et al.  Probabilistic topic models , 2012, Commun. ACM.

[41]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..

[42]  T. Higgins Book reviewSystems engineering handbook: edited by R. E. Machol, W. P. Tanner, Jr., and S. N. Alexander. 1054 pages, diagrams, illustr., New York, McGraw-Hill Book Co., 1965. Price, $29.50 , 1966 .

[43]  Hoh Peter In,et al.  Security Risk Vector for Quantitative Asset Assessment , 2005, ICCSA.