FOSS is here to stay, displacing malevolent privative counterparts—great!
FOSS exposes bugs to be found and fixed by the community—great!
FOSS shows security issues than can be exploited by attackers—gr..what?
In the last decades, source code transparency has made the job of black-hat hackers increasingly easy. We now have security websites exposing vulnerabilities and even exploits online—and despite good practices like responsible disclosure, it is the sheer amount of (external) code what makes everyone ultimately vulnerable. In plain words, nobody's safe.
From that base, this talk puts forward the need for a concept of *probability of future exploits*. This is crucial for project management, but also at developer level, to see the risks of not upgrading (or yes upgrading!) a dependency. We show how this probability can, and must, be computed from a project's dependency tree, in a manner that only the use of FOSS can allow. We also show that the development history of the project and its dependencies is key to getting useful results.
Finally, we merge the dependency tree and development history of a project into a white-box model, which we use to estimate the probability of future exploits. We show how to do it for the Java-Maven environment, for which we can use the FOSS tool 'FIG'. FIG, written in C++ and released under GPLv3, was designed for statistical estimations and can compute the probability of attacks in complex scenarios like the ones at hand.
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
SFSCON23 - Carlos Esteban Budde - Predict security attacks in FOSS
1. >>> Predict security attacks in FOSS
>>> Why you want it and how to do it
Name: Carlos E. Budde
Inst: University of Trento, Italy
Date: 10th November 2023
[~]$ _ [1/9]
36. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
[4. Challenges]$ _ [7/9]
37. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
[4. Challenges]$ _ [7/9]
38. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
[4. Challenges]$ _ [7/9]
39. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
[4. Challenges]$ _ [7/9]
40. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
[4. Challenges]$ _ [7/9]
41. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
[4. Challenges]$ _ [7/9]
42. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
[4. Challenges]$ _ [7/9]
43. >>> But:
* Vulnerabilities are rare events ⇒ very few to fit from
– Aggregate vulnerabilities from many libraries
* Not every vulnerability (or library) is equivalent
– Partition software libraries per type
* Software features for classification
that are relevant for security
Some SW metric
Some
other
SW
metric
Types of so�tware library
Features used to partition data,
not to predict vulnerabilities
[4. Challenges]$ _ [7/9]
44. >>> Preliminary outcomes
Time from release date of library to publication date of CVE
Probability
of
CVE
in
own_code
of
library
Small/Medium Large
Local
Remote
network
[5. Results]$ _ [8/9]
45. >>> Predict security attacks in FOSS
>>> Why you want it and how to do it
Name: Carlos E. Budde†
Inst: University of Trento, Italy
https://vuass.eu.qualtrics.com/
jfe/form/SV_cFSKOHjHZnaH2Si
Ethical
security
survey
—
Vrije
Universiteit
Amsterdam
†
carlosesteban.budde@unitn.it
[~]$ _ [9/9]