Software vulnerabilities are a well-known problem in current software projects. The situation becomes even more complicated, due to the ever-increasing complexity of the interconnections between both commercial and free open-source software (FOSS) projects. In this dissertation, we are aiming to facilitate the security assessment process in an industrial context. We start from the level of the own code of an individual software project, for which we propose a differential benchmarking approach for automatic assessment of static analysis security testing tools. We have demonstrated this approach, using 70 revisions of four major versions of Apache Tomcat with 62 distinct vulnerability fixes as a ground-truth set to test 7 tools. Since modern software projects often import functionality via software dependencies, that can also introduce vulnerabilities into the dependent project, we propose a methodology for counting actually vulnerable dependencies. We have evaluated the methodology on the set of 200 most used industry-relevant FOSS libraries, that resulted in 10905 distinct library instances when considering all the library versions. Finally, we have investigated the situation on the level of the FOSS ecosystem. Here we have studied decision-making strategies of developers for selecting and updating dependencies, as well as the influence of security concerns on the developers' decisions from quantitative and qualitative perspectives. For the qualitative study we have run 15 semi-structured interviews with software developers from 15 companies located in 7 countries.

Decision Support of Security Assessment of Software Vulnerabilities in Industrial Practice / Pashchenko, Ivan. - (2019), pp. 1-111.

Decision Support of Security Assessment of Software Vulnerabilities in Industrial Practice

Pashchenko, Ivan
2019-01-01

Abstract

Software vulnerabilities are a well-known problem in current software projects. The situation becomes even more complicated, due to the ever-increasing complexity of the interconnections between both commercial and free open-source software (FOSS) projects. In this dissertation, we are aiming to facilitate the security assessment process in an industrial context. We start from the level of the own code of an individual software project, for which we propose a differential benchmarking approach for automatic assessment of static analysis security testing tools. We have demonstrated this approach, using 70 revisions of four major versions of Apache Tomcat with 62 distinct vulnerability fixes as a ground-truth set to test 7 tools. Since modern software projects often import functionality via software dependencies, that can also introduce vulnerabilities into the dependent project, we propose a methodology for counting actually vulnerable dependencies. We have evaluated the methodology on the set of 200 most used industry-relevant FOSS libraries, that resulted in 10905 distinct library instances when considering all the library versions. Finally, we have investigated the situation on the level of the FOSS ecosystem. Here we have studied decision-making strategies of developers for selecting and updating dependencies, as well as the influence of security concerns on the developers' decisions from quantitative and qualitative perspectives. For the qualitative study we have run 15 semi-structured interviews with software developers from 15 companies located in 7 countries.
2019
XXXI
2019-2020
Ingegneria e scienza dell'Informaz (29/10/12-)
Information and Communication Technology
Massacci, Fabio
no
Inglese
Settore INF/01 - Informatica
File in questo prodotto:
File Dimensione Formato  
Thesis.pdf

accesso aperto

Tipologia: Tesi di dottorato (Doctoral Thesis)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 2.02 MB
Formato Adobe PDF
2.02 MB Adobe PDF Visualizza/Apri
Disclaimer.pdf

Solo gestori archivio

Tipologia: Tesi di dottorato (Doctoral Thesis)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.24 MB
Formato Adobe PDF
1.24 MB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/368392
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact