Engineering Security Vulnerability Prevention, Detection, and Response

Williams, Laurie; McGraw, Gary; Migues, Sammy

doi:10.1109/ms.2018.290110854

Cited by 35 publications

(16 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Promotion suggests a strategy of exploration and seizing of opportunities whereas prevention is essentially vigilance-focused and cautionary. Because the usual cybersecurity messages focus on prevention (Ayala, 2016;Holland and Shey, 2015;Williams et al, 2018), messages prompting negative affect, as Sunstein (2003) advises, might not be the best way of discouraging risky behaviours and promoting precautionary behaviour in the cybersecurity context.…”

Section: Results In Relation To Existing Models Of Human Behaviourmentioning

confidence: 99%

Risk as affect: The affect heuristic in cybersecurity

Schaik

Renaud

Wilson

et al. 2020

Computers & Security

View full text Add to dashboard Cite

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

show abstract

Section: Results In Relation To Existing Models Of Human Behaviourmentioning

confidence: 99%

Risk as affect: The affect heuristic in cybersecurity

Schaik

Renaud

Wilson

et al. 2020

Computers & Security

View full text Add to dashboard Cite

show abstract

“…1. Studies by Howard and Leblanc (2001), Ponta et al (2018), Nguyen et al (2016), Munaiah et al (2017), Hejderup (2015), Pashchenko et al (2018), and Williams et al (2018) encourage developers to use security best practices, e.g., project validation, security monitoring, to prevent and detect vulnerabilities in deployed projects. 2.…”

Section: Introductionmentioning

confidence: 99%

Lags in the release, adoption, and propagation of npm vulnerability fixes

et al. 2021

View full text Add to dashboard Cite

Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that developers are slow to respond to the threat of vulnerability, sometimes taking four to eleven months to act. To ensure quick adoption and propagation of a release that contains the fix (fixing release), we conduct an empirical investigation to identify lags that may occur between the vulnerable release and its fixing release (package-side fixing release). Through a preliminary study of 231 package-side fixing release of npm projects on GitHub, we observe that a fixing release is rarely released on its own, with up to 85.72% of the bundled commits being unrelated to a fix. We then compare the package-side fixing release with changes on a client-side (client-side fixing release). Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients require additional migration effort, even if the package-side fixing release was quick (i.e., package-side fixing releasetypeSpatch). Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation. In addition to these lags we identify and characterize, this paper lays the groundwork for future research on how to mitigate propagation lags in an ecosystem.

show abstract

“…Similarly, the frameworks [19] and [22] converge on the activities related to policies and securitization of the development environment. Few studies analyze in depth the methodologies of secureby-default development [24], [25]. Grégoire et al [26] compare the similarities of Microsoft SDL [17] and CLASP-OWASP [20] in a theoretical way.…”

Section: Background and Related Workmentioning

confidence: 99%

A Preventive Secure Software Development Model for a Software Factory: A Case Study

2020

View full text Add to dashboard Cite

The number of cyberattacks has greatly increased in in the last years, as well as their sophistication and impact. For this reason, new emerging software development models are demanded, which help in developing secure by default software. To achieve this, the analysis and comparison in depth of the current models of secure software development is especially important. In this paper, a review of the most popular secure software models is presented, and a new secure software methodology is proposed, adapted to all current environments. A practical experiment in a software development company is tested, as a case study, considering data from real software projects. The results are presented and compared in two development scenarios: a classic one with a reactive security approach, and another one, emerging and preventive, that applies security by default in all phases of the software life cycle. In the case study, the total amount of vulnerabilities is reduced by 68,42%, decreasing their criticality and the temporal impact of their resolutions. In this way, software security and quality are methodologically improved with the proposed model, proving that the new emerging approach provides a more secure software.INDEX TERMS Commercial experiment, preventive model, secure software development, vulnerability reduction.

show abstract

Engineering Security Vulnerability Prevention, Detection, and Response

Cited by 35 publications

References 2 publications

Risk as affect: The affect heuristic in cybersecurity

Risk as affect: The affect heuristic in cybersecurity

Lags in the release, adoption, and propagation of npm vulnerability fixes

A Preventive Secure Software Development Model for a Software Factory: A Case Study

Contact Info

Product

Resources

About