Security hardening of open source software

Mourad, Azzam; Laverdière, Marc-André; Debbabi, Mourad

doi:10.1145/1501434.1501486

Cited by 15 publications

(7 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…For example, Cadariu et al [15] identified the need for automated known vulnerability detection, in particular with respect to external components and systems. In [16] Mourad et al identify security hardening as a possible concept to help developers and maintainers eliminate and prevent vulnerabilities and threats. Complementing the concept of Mourad et al the need for automation of security compliance checks was described by Ullah et al in [17].…”

Section: A Security Automationmentioning

confidence: 99%

Enterprise-Driven Open Source Software: A Case Study on Security Automation

Angermeir

Voggenreiter

Moyón

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

View full text Add to dashboard Cite

Agile and DevOps are widely adopted by the industry. Hence, integrating security activities with industrial practices, such as continuous integration (CI) pipelines, is necessary to detect security flaws and adhere to regulators' demands early.In this paper, we analyze automated security activities in CI pipelines of enterprise-driven open source software (OSS). This shall allow us, in the long-run, to better understand the extent to which security activities are (or should be) part of automated pipelines. In particular, we mine publicly available OSS repositories and survey a sample of project maintainers to better understand the role that security activities and their related tools play in their CI pipelines. To increase transparency and allow other researchers to replicate our study (and to take different perspectives), we further disclose our research artefacts. Our results indicate that security activities in enterprise-driven OSS projects are scarce and protection coverage is rather low. Only 6.83% of the analyzed 8,243 projects apply security automation in their CI pipelines, even though maintainers consider security to be rather important. This alerts industry to keep the focus on vulnerabilities of 3rd Party software and it opens space for other improvements of practice which we outline in this manuscript.

show abstract

Section: A Security Automationmentioning

confidence: 99%

Enterprise-Driven Open Source Software: A Case Study on Security Automation

Angermeir

Voggenreiter

Moyón

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

View full text Add to dashboard Cite

show abstract

“…Segundo [25], o processo de tornar o sistema operacional mais seguro do que o nível padrão de sua instalação,é conhecido como hardening. O conceito de hardening também foi adotado por autores para descrever métodos de aprimorar a segurança em softwares [26] e na camada de rede de uma organização [27]. Desta forma, o termo hardening,é utilizado para referenciar a melhoria em segurança de algum sistema, podendo ser um software, uma rede e seus dispositivos, assim como um sistema operacional.…”

Section: Hardeningunclassified

Vulnerability Identification on GNU/Linux Operating Systems through Case-Based Reasoning

Santos

Nobre

2019

RITA

View full text Add to dashboard Cite

Operating system security has been steadily evolving over the years. Several mechanisms, softwares and guides of best practices of configuration have been developed to contribute with the security of such systems. The process that makes an operating system safer by considering the default level obtained at the installation is known as hardening. Experience and technical knowledge are important attributes for the professional performing this process. In this context, automated rule-based tools are often used to assist professionals with little experience in vulnerability identification activities. However, the use of rules establishes a dependency on developers for the development of new rules as well as to keep them updated. Failure to update rules can significantly compromise the integrity of vulnerability identification results. In this paper, the Case-Based Reasoning (CBR) technique is used to improve tools that assist inexperienced professionals in conducting vulnerability identification activities. The purpose of using CBR is to make inexperienced professionals obtain similar results as experienced professionals. In addition, the dependence on rule developers is diminished. A prototype was developed considering the GNU/Linux system in order to carry out an experimental evaluation. This evaluation demonstrated that the application of CBR improves the performance of inexperienced professionals in terms of the number of identified vulnerabilities.

show abstract

“…We defined in Mourad et al (2006) software security hardening as any process, methodology, product, or combination thereof that is used to add security functionalities and/or remove vulnerabilities or prevent their exploitation in existing software. Security hardening practices are usually applied manually by injecting security code into the software (Bishop, 2005;Howard and Le Blanc, 2002;Seacord, 2005;Wheeler, 2003).…”

Section: Security Hardening Approachmentioning

confidence: 99%

A High-level Aspect-oriented-based Framework for Software Security Hardening

Mourad

Laverdière

Debbabi

2008

Information Security Journal: A Global Perspective

Self Cite

View full text Add to dashboard Cite

In this paper, we present an aspect-oriented approach and propose a high-level language called SHL (Security Hardening Language) for the systematic security hardening of software. The primary contribution of this proposition is providing the software architects with the capabilities to perform security hardening by applying well-defined solutions and without the need to have expertise in the security solution domain. At the same time, the security hardening is applied in an organized and systematic way in order not to alter the original functionalities of the software. This is done by providing an abstraction over the actions required to improve the security of a program and adopting aspect-oriented programming to build and develop the solutions. SHL allows the developers to describe and specify the security hardening plans and patterns needed to harden systematically security into open source software. It is a minimalist language built on top of the current aspectoriented technologies that are based on advice-poincut model and can also be used in conjunction with them. We explore the viability and relevance of our proposition by applying it into several security hardening case studies and presenting their experimental results.

show abstract

Security hardening of open source software

Cited by 15 publications

References 1 publication

Enterprise-Driven Open Source Software: A Case Study on Security Automation

Enterprise-Driven Open Source Software: A Case Study on Security Automation

Vulnerability Identification on GNU/Linux Operating Systems through Case-Based Reasoning

A High-level Aspect-oriented-based Framework for Software Security Hardening

Contact Info

Product

Resources

About