A Decade of Reoccurring Software Weaknesses

Gueye, Assane; Galhardo, Carlos Eduardo Cardoso; Bojanova, Irena; Mell, Peter

doi:10.1109/msec.2021.3082757

Cited by 6 publications

(2 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nonetheless, it should be noted that the proposed approach is general enough to support other quantitative scoring systems for software security, and is not necessarily tied to scores derived with the CVSS. Table 2 reports the most significant CWE entries in the 2022 CWE Top 25 [20] related to the domain of embedded systems, in terms of rank, weakness identification number (CWE ID), vulnerability description (shortened, from the CWE database 2 ), and overall score associated with the SSS parameter s v (normalized in [0, 1] by dividing the corresponding score in the 2022 CWE Top 25 by 100).…”

Section: A Matching Cwe Top 25 With Our Modelmentioning

confidence: 99%

Maximizing the Security Level of Real-Time Software While Preserving Temporal Constraints

et al. 2023

View full text Add to dashboard Cite

Embedded computing systems are becoming increasingly relevant in the Internet of Things (IoT) and edge computing domains, where they are often employed as the control entity of a cyber-physical system. When operating in such interconnected domains, a software system is susceptible to cyber-attacks from external agents, which can compromise the correct behavior of the system. In addition, the software executing in these systems is typically characterized by stringent timing constraints, which must be satisfied during system execution. Enabling software protections to enhance the security level of the embedded software comes at the cost of increasing the computation times of the tasks, introducing the risk of deadline misses that could also jeopardize the system behavior. This paper presents a methodology to optimize the security level of real-time software while preserving system-wide schedulability by leveraging timing analysis. The proposed approach is based on a mixed-integer linear programming (MILP) formulation that maximizes the security level of the tasks and integrates a response-time analysis technique to assess the schedulability of the system whenever additional protections are activated to shield the software against cyber-attacks targeting specific classes of vulnerabilities. An experimental evaluation is presented to assess the performance of the proposed approach on a representative set of tasks included in standard benchmarking suites for embedded software.

show abstract

Section: A Matching Cwe Top 25 With Our Modelmentioning

confidence: 99%

Maximizing the Security Level of Real-Time Software While Preserving Temporal Constraints

et al. 2023

View full text Add to dashboard Cite

show abstract

“…The 2022 Verizon Data Breach Investigation Report [1] indicates that there were 5,212 data breaches in 2022 in the United States and the number of breaches increases every year. Despite increased tracking and abatement of software vulnerabilities, Gueye and Mell [2] report that the most prevalent software errors have not changed much since vulnerabilities were first cataloged. Indeed, MITRE [3] lists the top four most dangerous software vulnerabilities of 2022 as:…”

Section: Introductionmentioning

confidence: 99%

What Is Interesting and Relevant About Cybersecurity?

Resch,

Shin,

Gardner-McCune

2024

CISSE

View full text Add to dashboard Cite

Cyber attacks are a common feature of current news and many of them are the result of easy to avoid vulnerabilities in software. It is imperative that students graduating from an undergraduate Computer Science (CS) curriculum understand the consequences of vulnerable code. When developing lessons and assignments, it would be useful to have a sense of students’ attitude toward cybersecurity and appreciation of the need to write secure code. This paper describes an analysis of the results of a survey of students in core CS courses at our large public university, in which students answer free response questions about what they find interesting and relevant about cybersecurity. The survey was conducted in Fall 2022 and repeated in Spring 2023 after cybersecurity interventions were introduced into several core CS courses. We performed a Natural Language Processing (NLP) analysis of the free response answers to determine the overarching themes in the responses. We found that the most prevalent topics students are interested in are cryptography and penetration testing, and did not change over the two semesters. In answer to the question about the relevance of studying cybersecurity, we found that as students progress through the curriculum, what students find relevant moves from protecting their personal data to its importance in job duties and writing secure programs. When developing lessons and assignments, it may be helpful to introduce cryptography or penetration testing to engage students. Also, students should be taught early and often about the relevance of cybersecurity in their future job duties.

show abstract