Do Software Security Practices Yield Fewer Vulnerabilities?
- URL: http://arxiv.org/abs/2210.14884v2
- Date: Thu, 15 Jun 2023 14:45:33 GMT
- Title: Do Software Security Practices Yield Fewer Vulnerabilities?
- Authors: Nusrat Zahan, Shohanuzzaman Shohan, Dan Harris and Laurie Williams
- Abstract summary: The goal of this study is to assist practitioners and researchers making informed decisions on which security practices to adopt.
Four security practices were the most important practices influencing vulnerability count.
The number of reported vulnerabilities increased rather than reduced as the aggregate security score of the packages increased.
- Score: 6.6840472845873276
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Due to the ever-increasing security breaches, practitioners are motivated to
produce more secure software. In the United States, the White House Office
released a memorandum on Executive Order (EO) 14028 that mandates organizations
provide self-attestation of the use of secure software development practices.
The OpenSSF Scorecard project allows practitioners to measure the use of
software security practices automatically. However, little research has been
done to determine whether the use of security practices improves package
security, particularly which security practices have the biggest impact on
security outcomes. The goal of this study is to assist practitioners and
researchers making informed decisions on which security practices to adopt
through the development of models between software security practice scores and
security vulnerability counts.
To that end, we developed five supervised machine learning models for npm and
PyPI packages using the OpenSSF Scorecared security practices scores and
aggregate security scores as predictors and the number of externally-reported
vulnerabilities as a target variable. Our models found four security practices
(Maintained, Code Review, Branch Protection, and Security Policy) were the most
important practices influencing vulnerability count. However, we had low R^2
(ranging from 9% to 12%) when we tested the models to predict vulnerability
counts. Additionally, we observed that the number of reported vulnerabilities
increased rather than reduced as the aggregate security score of the packages
increased. Both findings indicate that additional factors may influence the
package vulnerability count. We suggest that vulnerability count and security
score data be refined such that these measures may be used to provide
actionable guidance on security practices.
Related papers
- Defining and Evaluating Physical Safety for Large Language Models [62.4971588282174]
Large Language Models (LLMs) are increasingly used to control robotic systems such as drones.
Their risks of causing physical threats and harm in real-world applications remain unexplored.
We classify the physical safety risks of drones into four categories: (1) human-targeted threats, (2) object-targeted threats, (3) infrastructure attacks, and (4) regulatory violations.
arXiv Detail & Related papers (2024-11-04T17:41:25Z) - The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects [0.11999555634662631]
This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects.
We have identified common issues in outdated or unmaintained dependencies, that pose significant security risks.
Results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.
arXiv Detail & Related papers (2024-08-26T13:46:48Z) - A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities [0.29998889086656577]
The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals.
We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK.
Our results show an average 71.5% - 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors.
arXiv Detail & Related papers (2024-06-09T23:29:12Z) - Towards Deep Learning Enabled Cybersecurity Risk Assessment for Microservice Architectures [3.0936354370614607]
CyberWise Predictor is a framework designed for predicting and assessing security risks associated with microservice architectures.
Our framework achieves an average accuracy of 92% in automatically predicting vulnerability metrics for new vulnerabilities.
arXiv Detail & Related papers (2024-03-22T12:42:33Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - The Art of Defending: A Systematic Evaluation and Analysis of LLM
Defense Strategies on Safety and Over-Defensiveness [56.174255970895466]
Large Language Models (LLMs) play an increasingly pivotal role in natural language processing applications.
This paper presents Safety and Over-Defensiveness Evaluation (SODE) benchmark.
arXiv Detail & Related papers (2023-12-30T17:37:06Z) - Safety Margins for Reinforcement Learning [53.10194953873209]
We show how to leverage proxy criticality metrics to generate safety margins.
We evaluate our approach on learned policies from APE-X and A3C within an Atari environment.
arXiv Detail & Related papers (2023-07-25T16:49:54Z) - Smart Contract and DeFi Security Tools: Do They Meet the Needs of
Practitioners? [10.771021805354911]
Attacks targeting smart contracts are increasing, causing an estimated $6.45 billion in financial losses.
We aim to shed light on the effectiveness of automated security tools in identifying vulnerabilities that can lead to high-profile attacks.
Our findings reveal a stark reality: the tools could have prevented a mere 8% of the attacks in our dataset, amounting to $149 million out of the $2.3 billion in losses.
arXiv Detail & Related papers (2023-04-06T10:27:19Z) - Bayes Security: A Not So Average Metric [20.60340368521067]
Security system designers favor worst-case security metrics, such as those derived from differential privacy (DP)
In this paper, we study Bayes security, a security metric inspired by the cryptographic advantage.
arXiv Detail & Related papers (2020-11-06T14:53:45Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.