Security Monitoring during Software Development: An Industrial Case Study

The devastating consequences of successful security breaches that have been observed recently have forced more and more software development enterprises to shift their focus towards building software products that are highly secure (i.e., vulnerability-free) from the ground up. In order to produce secure software applications, appropriate mechanisms are required for enabling project managers and developers to monitor the security level of their products during their development and identify and eliminate vulnerabilities prior to their release. A large number of such mechanisms have been proposed in the literature over the years, but limited attempts with respect to their industrial applicability, relevance, and practicality can be found. To this end, in the present paper, we demonstrate an integrated security platform, the VM4SEC platform, which exhibits cutting-edge solutions for software security monitoring and optimization, based on static and textual source code analysis. The platform was built in a way to satisfy the actual security needs of a real software development company. For this purpose, an industrial case study was conducted in order to identify the current security state of the company and its security needs in order for the employed security mechanisms to be adapted to the specific needs of the company. Based on this analysis, the overall architecture of the platform and the parameters of the selected models and mechanisms were properly defined and demonstrated in the present paper. The purpose of this paper is to showcase how cutting-edge security monitoring and optimization mechanisms can be adapted to the needs of a dedicated company and to be used as a blueprint for constructing similar security monitoring platforms and pipelines.

[1]  Basak Gencer Unsalver,et al.  Software Vulnerability Prediction Knowledge Transferring Between Programming Languages , 2023, ENASE.

[2]  Alireza Shameli-Sendi,et al.  A security vulnerability predictor based on source code metrics , 2023, Journal of Computer Virology and Hacking Techniques.

[3]  V. Leithardt,et al.  Nero: A Deterministic Leaderless Consensus Algorithm for DAG-Based Cryptocurrencies , 2023, Algorithms.

[4]  Pedro Costa,et al.  Trustworthiness models to categorize and prioritize code for security improvement , 2023, J. Syst. Softw..

[5]  Minchao Ban,et al.  CSGVD: A deep learning approach combining sequence and graph embedding for source code vulnerability detection , 2023, J. Syst. Softw..

[6]  C. Tantithamthavorn,et al.  LineVul: A Transformer-based Line-Level Vulnerability Prediction , 2022, 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR).

[7]  Timo Kehrer,et al.  VUDENC: Vulnerability Detection with Deep Learning on a Natural Codebase for Python , 2022, Inf. Softw. Technol..

[8]  Dimitrios Tzovaras,et al.  A hierarchical model for quantifying software security based on static analysis alerts and software metrics , 2021, Softw. Qual. J..

[9]  Fabio Palomba,et al.  A Critical Comparison on Six Static Analysis Tools: Detection, Agreement, and Precision , 2021, J. Syst. Softw..

[10]  Eduardo Figueiredo,et al.  On the proposal and evaluation of a benchmark-based threshold derivation method , 2019, Software Quality Journal.

[11]  Laurie A. Williams,et al.  Mapping the field of software life cycle security metrics , 2018, Inf. Softw. Technol..

[12]  Shouhuai Xu,et al.  VulDeePecker: A Deep Learning-Based System for Vulnerability Detection , 2018, NDSS.

[13]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[14]  Tomas Mikolov,et al.  Enriching Word Vectors with Subword Information , 2016, TACL.

[15]  Saad Zafar,et al.  Security quality model: an extension of Dromey’s model , 2015, Software Quality Journal.

[16]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[17]  Wouter Joosen,et al.  Software vulnerability prediction using text analysis techniques , 2012, MetriSec '12.

[18]  Joost Visser,et al.  Standardized code quality benchmarking for improving software maintainability , 2011, Software Quality Journal.

[19]  Paul C. van Oorschot,et al.  The developer is the enemy , 2009, NSPW '08.

[20]  Helvi Kyngäs,et al.  The qualitative content analysis process. , 2008, Journal of advanced nursing.

[21]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[22]  Shari Lawrence Pfleeger,et al.  Principles of survey research: part 1: turning lemons into lemonade , 2001, SOEN.

[23]  L. Breiman Random Forests , 2001, Encyclopedia of Machine Learning and Data Mining.

[24]  Carolyn B. Seaman,et al.  Qualitative Methods in Empirical Studies of Software Engineering , 1999, IEEE Trans. Software Eng..

[25]  S. Hochreiter,et al.  Long Short-Term Memory , 1997, Neural Computation.

[26]  F. H. Barron,et al.  SMARTS and SMARTER: Improved Simple Methods for Multiattribute Utility Measurement , 1994 .

[27]  Hardeep Singh,et al.  The Effect of Dual Hyperparameter Optimization on Software Vulnerability Prediction Models , 2023, e Informatica Softw. Eng. J..

[28]  H. Elshoush,et al.  Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-Art , 2023, IEEE Access.

[29]  Shin Hwei Tan,et al.  Combining Graph-Based Learning With Automated Data Collection for Code Vulnerability Detection , 2021, IEEE Transactions on Information Forensics and Security.

[30]  Mustapha Kamel Abdi,et al.  Deep Learning for Software Vulnerabilities Detection Using Code Metrics , 2020, IEEE Access.

[31]  Dimitrios Tzovaras,et al.  Security in Computer and Information Sciences , 2018, Communications in Computer and Information Science.

[32]  Jeff Luszcz,et al.  Apache Struts 2: how technical and development gaps caused the Equifax Breach , 2018, Netw. Secur..

[33]  Richard Ford,et al.  Heartbleed 101 , 2014, IEEE Security & Privacy.