Tracking known security vulnerabilities in proprietary software systems

Known security vulnerabilities can be introduced in software systems as a result of being dependent upon third-party components. These documented software weaknesses are “hiding in plain sight” and represent low hanging fruit for attackers. In this paper we present the Vulnerability Alert Service (VAS), a tool-based process to track known vulnerabilities in software systems throughout their life cycle. We studied its usefulness in the context of external software product quality monitoring provided by the Software Improvement Group, a software advisory company based in Amsterdam, the Netherlands. Besides empirically assessing the usefulness of the VAS, we have also leveraged it to gain insight and report on the prevalence of third-party components with known security vulnerabilities in proprietary applications.

[1]  Arie van Deursen,et al.  Source-based software risk assessment , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[2]  Georgios Gousios,et al.  The bug catalog of the maven ecosystem , 2014, MSR 2014.

[3]  Measuring the Occurrence of Security-Related Bugs through Software Evolution , 2012, 2012 16th Panhellenic Conference on Informatics.

[4]  Joost Visser,et al.  Automatic Event Detection for Software Product Quality Monitoring , 2012, 2012 Eighth International Conference on the Quality of Information and Communications Technology.

[5]  A. Buttner,et al.  Common Platform Enumeration (CPE) - Specification , 2011 .

[6]  Joost Visser,et al.  Monitoring the Quality of Outsourced Software , 2007 .

[7]  Jeroen Heijmans,et al.  A Practical Model for Rating Software Security , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[8]  Tom Fawcett,et al.  Activity monitoring: noticing interesting changes in behavior , 1999, KDD '99.

[9]  Arie van Deursen,et al.  The Maven repository dataset of metrics, changes, and dependencies , 2013, 2013 10th Working Conference on Mining Software Repositories (MSR).

[10]  Cristina V. Lopes,et al.  A dataset for maven artifacts and bug patterns found in them , 2014, MSR 2014.

[11]  Joost Visser,et al.  A Tool-based Methodology for Software Portfolio Monitoring , 2004, Software Audit and Metrics.

[12]  Barry E. Mullins,et al.  Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices , 2014, Int. J. Crit. Infrastructure Prot..