Assessing Attack Surface with Component-Based Package Dependency

Zhang, Su; Zhang, Xinwen; Ou, Xinming; Chen, Liqun; Edwards, Nigel; Jin, Jing

doi:10.1007/978-3-319-25645-0_29

Cited by 15 publications

(9 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[15] States that current CVSS do not reveal the fact that vulnerabilities on highly depended packages usually bring larger attack surfaces compared to those detected on a client application, even when they have the same CVSS scores. [15] Studied the impacts of components dependencies which refer to a code reuse by a component from the library packages that it relies upon. [16] Presents a risk estimation model that makes use of CVSS to produce security risk levels implemented as a Bayesian Belief Network (BBN) topology.…”

Section: The Proposed Frameworkmentioning

confidence: 97%

“…Researchers studied the impacts of component dependency graphs [12] [13] [14]. [15] Claims that CVSS does not take into consideration component dependencies, which impacts dramatically the exploitability of a vulnerability. [15] States that current CVSS do not reveal the fact that vulnerabilities on highly depended packages usually bring larger attack surfaces compared to those detected on a client application, even when they have the same CVSS scores.…”

Section: The Proposed Frameworkmentioning

confidence: 99%

“…[15] Claims that CVSS does not take into consideration component dependencies, which impacts dramatically the exploitability of a vulnerability. [15] States that current CVSS do not reveal the fact that vulnerabilities on highly depended packages usually bring larger attack surfaces compared to those detected on a client application, even when they have the same CVSS scores. [15] Studied the impacts of components dependencies which refer to a code reuse by a component from the library packages that it relies upon.…”

Section: The Proposed Frameworkmentioning

confidence: 99%

See 2 more Smart Citations

Evaluating Damage Potential in Security Risk Scoring Models

Weintraub¹

2016

ijacsa

View full text Add to dashboard Cite

Abstract-A Continuous Monitoring System (CMS) model is presented, having new improved capabilities. The system is based on the actual real-time configuration of the system. Existing risk scoring models assume damage potential is estimated by systems' owner, thus rejecting the information relying in the technological configuration. The assumption underlying this research is based on users' ability to estimate business impacts relating to systems' external interfaces which they use regularly in their business activities, but are unable to assess business impacts relating to internal technological components. According to the proposed model systems' damage potential is calculated using technical information on systems' components using a directed graph. The graph is incorporated into the Common Vulnerability Scoring Systems' (CVSS) algorithm to produce risk scoring measures. Framework presentation includes system design, damage potential scoring algorithm design and an illustration of scoring computations.

show abstract

Section: The Proposed Frameworkmentioning

confidence: 97%

Section: The Proposed Frameworkmentioning

confidence: 99%

Section: The Proposed Frameworkmentioning

confidence: 99%

See 1 more Smart Citation

Evaluating Damage Potential in Security Risk Scoring Models

Weintraub¹

2016

ijacsa

View full text Add to dashboard Cite

show abstract

“…This approach tries to increase the attack surface of an application by bringing content-based package dependency into play. Vulnerabilities on highly dependent packages usually bring larger attack surfaces compared to those detected on a client application, even when they have the same CVSS scores, 13 and CVSSv2 does not reveal that fact. Thus, by bringing CMS content-based package dependency vulnerabilities to Glastopf, the attack surface of this application would increase even though that may not reflect in CVSSv2 score.…”

Section: Approachmentioning

confidence: 99%

Self-Advertising Attack Surfaces for Web Application Honeypots: New Technology to Managing Cyber Disasters

Mphago¹,

Mpoeleng²,

Masupe

et al. 2018

ISIJ

View full text Add to dashboard Cite

Honeypots are security tools often used to attract and learn attackers' methods or divert their attention to unimportant resources. In order to achieve their goal, honeypots need to be identified by the attackers, and this is often the challenge with most deployments of honeypots. This paper therefore explores the use of attack surface sizes in web application honeypots to self-advertise their honeypots to the attackers. PageRank, which is a system that ranks pages on the web through outward link analysis, ranks important pages as seen by their users at the top of the search results. Therefore, the paper argues that vulnerable pages on the web, thus applications with large attack surface, are also important to attackers. Therefore, if pages are ranked based on their importance as seen by their users, pages with large attack surface should rank high when attackers search for them. To design a large attack surface, attack surface parameters can be strategically placed in a template as different parameters affect the attack surface differently when placed in a particular way.

show abstract

“…Zhang et al [35] proposed an approach for estimating the security risk for a software project by considering known security vulnerabilities in its dependencies, however the approach does not consider any evidence for the presence of a vulnerability. Dumitras et al [36] discussed a risk model for managing software upgrades in enterprise systems.…”

Section: Empirical Studies On Trade-offs Between the Security Risk Pomentioning

confidence: 99%

A Screening Test for Disclosed Vulnerabilities in FOSS Components

Dashevskyi

Brucker

Massacci

2019

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Abstract-Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this component in an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities-in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes. Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all.

show abstract

Assessing Attack Surface with Component-Based Package Dependency

Cited by 15 publications

References 46 publications

Evaluating Damage Potential in Security Risk Scoring Models

Evaluating Damage Potential in Security Risk Scoring Models

Self-Advertising Attack Surfaces for Web Application Honeypots: New Technology to Managing Cyber Disasters

A Screening Test for Disclosed Vulnerabilities in FOSS Components

Contact Info

Product

Resources

About