software security economics theory in practice
play

Software Security Economics: Theory, in Practice An Exploratory - PowerPoint PPT Presentation

Sep 22, 2023 •179 likes •498 views

Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan Neuhaus<neuhaust@tik.ee.ethz.ch> Bernhard Plattner <plattner@tik.ee.ethz.ch> Thursday, June 28, 12 Making the Best Use of Cybersecurity Economic

  1. Software Security Economics: Theory, in Practice An Exploratory Analysis Stephan Neuhaus<neuhaust@tik.ee.ethz.ch> Bernhard Plattner <plattner@tik.ee.ethz.ch> Thursday, June 28, 12

  2. “Making the Best Use of Cybersecurity Economic Models” • Investing in software security always has positive, but diminishing returns • Modeled by a “increasing convex function”, which is “any increasing twice continuously differentiable function” • Statement without any qualification Rachel Rue and Shari Lawrence Pfleeger. Making the best use of cybersecurity economic models . IEEE Security & Privacy, 7 :52–60, 2009. Thursday, June 28, 12

  3. Security ∆ S 2 ∆ S 1 ∆ S 2 < ∆ S 1 Cumulative Investment ∆ I Thursday, June 28, 12

  4. Security Functions • Increasing (Slope always positive): d f /d I > 0 • Diminishing returns (Later slopes smaller than earlier ones): d 2 f /d I 2 < 0 • Hang on, that’s not convexity, that’s concavity • Not just any old twice continuously differen- tiable function will do • Also, twice continuous differentiability not needed, twice differentiable suffices Thursday, June 28, 12

  5. What they say is not what they mean Thursday, June 28, 12

  6. Is what they actually true? mean Thursday, June 28, 12

  7. More Security Functions • Investment always yields positive returns? • Just throw money in the general direction of security and it will never get any worse? • That would mean that it is impossible to choose a wrong security mechanism • Security systems so badly implemented that no security system would have been better! (TSA) • Just a plausibility argument , what does the data say? Thursday, June 28, 12

  8. Consequences • Vulnerability fixing is security investment • Stretched over time • If same investment yields less improvement tomorrow than it does today, then vulnerability fix rates should go down fix rate = #vulns fixed × #fixers unit time Thursday, June 28, 12

  9. Data Sets • Mozilla (292 vulnerabilities) • Apache httpd (66 vulnerabilities) • Apache Tomcat (21 vulnerabilities) Thursday, June 28, 12

  10. Mozilla 417 Advisories 382 with bug ID 292 with CVS commit message Image source: Mozilla foundation Thursday, June 28, 12

  11. Apache httpd • Security information published through CVE • No helpful links to bug reports • Manual mapping of vulnerabilities to fixes • Leaving out CVEs we can’t assign • Out of 100 CVEs, 66 remain Image source: Apache foundation Thursday, June 28, 12

  12. Apache Tomcat • From 2008 on, reports have revision number of fixing checkin :-) • Before 2008, there is no link at all :-( • Out of the 89 CVEs, only 21 remain • Attribution absolutely certain Image source: Apache foundation Thursday, June 28, 12

  13. Vulnerability Fix Checkins (Mozilla) 15 10 Checkins 5 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Thursday, June 28, 12

  14. Moving Average • Acts as a low-pass filter , removing high- frequency jiggling • Smoothes out strong day-to-day variations • Leaves overall trend (if any) • Trend will appear with a lag • We chose window size 365 • Even in leap years Thursday, June 28, 12

  15. Average Vulnerability Fix Checkins (Combined) 1 Average Checkins per Day 0.3 Product 0.1 Mozilla Httpd 0.03 Tomcat 0.01 0.003 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Thursday, June 28, 12

  16. Average Vulnerability Fix Checkins (Combined) Move to different repository, 1 way fewer checkins, higher percentage Average Checkins per Day of backported vuln fixes 0.3 Product 0.1 Mozilla Httpd 0.03 Tomcat 0.01 0.003 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Thursday, June 28, 12

  17. Average Vulnerability Fix Checkins (Combined) 1 Average Checkins per Day 0.3 Product 0.1 Mozilla Httpd 0.03 Tomcat 0.01 0.003 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Thursday, June 28, 12

  18. Average Vulnerability Fix Checkins (Combined) 1 Average Checkins per Day 0.3 Product 0.1 Mozilla Httpd 0.03 Tomcat 0.01 0.003 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Thursday, June 28, 12

  19. Average Vulnerability Fix Checkins (Combined) 1 Average Checkins per Day 0.3 Product 0.1 Mozilla Httpd 0.03 Tomcat 0.01 0.003 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Thursday, June 28, 12

  20. Number of Committers (Combined) 30 Average Checkins per Day Product 10 Mozilla Httpd Tomcat 3 1 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Thursday, June 28, 12

  21. Why does the Standard Model not Fit? • Standard model is for static situation • Software development is dynamic, has phases • Next week is a feature freeze • In two months, writing that new feature • Supply of easy vulnerabilities has not run out • Why not? It’s superficially plausible that they should! Thursday, June 28, 12

  22. Reservoirs average length μ in average length μ out Development Bug fixing time Thursday, June 28, 12

  23. Reservoirs • There is a reservoir of vulnerabilities • Phases of average length μ in in which vulnerabilities are put into the reservoir (development) • Phases of average length μ out in which vulnerabilities are taken out of the reservoir (bug fixing) • These phases alternate • Not perfect, but more plausible than standard model! Thursday, June 28, 12

  24. Consequences • “The number of [vulnerabilities] V will be heavy tailed with P( V > x ) ∼ cx − ( α − 1) L ( x ), where c and α are constants and L a slowly varying function.” • Number of vulnerabilities unknown! Thursday, June 28, 12

  25. More Consequences • Assume that in any given 365-day period, a constant fraction of the available vulnerabilities will be fixed, it follows that the number of days with a given number of checkins will also be heavy tailed • #vulnerabilities fixed � #vulnerabilities present • Not a priori clear, but let’s see what follows! Thursday, June 28, 12

  26. ● 10 3 10 2 ● Product Httpd ● Days Mozilla Tomcat 10 1 ● ● 10 0 ● ● 0 0 0 1 1 1 2 2 2 3 3 4 5 5 6 7 8 9 10 11 13 15 Checkins per Day Thursday, June 28, 12

  27. Other Things in the Paper • Is software security an arms race, where attackers and defenders have to work very hard just to maintain the status quo? • Would lead to distribution between successive days with fixes obeying a power law • No (or, if yes, lost in noise of other activity) Neil Johnson, Spencer Carran, Joel Botner, Kyle Fontaine, Nathan Laxague, Philip Nuetzel, Jessica Turnley, and Brian Tivnan. Pattern in escalations in insurgent and terrorist activity . Science, 333 (6038):81–84, July 2011. Thursday, June 28, 12

  28. You Should not Believe Me! • Make your own experiments on my data! • Find bugs in my scripts! • ftp://ftp.tik.ee.ethz.ch/pub/publications/ WEIS2012/fixrates.tar.gz • (Don’t write this down, it’s in the paper) Thursday, June 28, 12

  29. Personal Remarks • Share your data and scripts! • Many thanks to reviewer who pointed out problems with my “power law” analysis • This work is not about surprises • A scientific paper is not a news story Thursday, June 28, 12

  30. Conclusion • Standard model not applicable for software development • Hence perhaps not so standard • Reservoir model makes predictions that actually fit the data • Hence perhaps a better model • Ultimately, phenomenon not understood Thursday, June 28, 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How our Current Theory of Economics and Practice of Finance have Unsustainability built in QCEA

How our Current Theory of Economics and Practice of Finance have Unsustainability built in QCEA

How our Current Theory of Economics and Practice of Finance have Unsustainability built in QCEA Brussels November 2013 Outline Introduction/Background Neo-classical theory Flaws in the theory Myths about growth Financial

729 views • 45 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit. Theory alone can bring forth and develop the spirit of inventions Louis Pasteur, 1822-1895 Practice : It is a capital mistake to theorize before

548 views • 42 slides
Exploratory testing in theory and practice Jan Jaap Cannegieter Principal consultant Squerist

Exploratory testing in theory and practice Jan Jaap Cannegieter Principal consultant Squerist

8-5-2019 Specialisten in vooruitgang Exploratory testing in theory and practice Jan Jaap Cannegieter Principal consultant Squerist Software testen Business Process Transformation Security testen 1 Exploratory testing in theory and practice

381 views • 18 slides
CSE3010: (Software Pattern Theory and Practice)

CSE3010: (Software Pattern Theory and Practice)

CSE3010: (Software Pattern Theory and Practice) Yann-Gal Guhneuc The Be a Debugger process pattern This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 3.0 Unported

629 views • 40 slides
Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing your Experiment Massimiliano Di Penta University of Sannio, Italy Outline Empirical studies in software engineering Different kinds of

1.62k views • 146 slides
Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson - @kennyog Based on joint work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen Information Security Group Overview 1. Introducing SSH 2. SSH

817 views • 52 slides
The Theory and Practice of Software Testing: Can we Test it? Yes we Can! Gregory M. Kapfhammer

The Theory and Practice of Software Testing: Can we Test it? Yes we Can! Gregory M. Kapfhammer

Software Testing Challenges Structural Testing Regression Testing Mutation Testing Future Work Conclusion The Theory and Practice of Software Testing: Can we Test it? Yes we Can! Gregory M. Kapfhammer Department of Computer Science

578 views • 23 slides
The Economics of Retail Payment Security Tyler Moore University of Tulsa, OK

The Economics of Retail Payment Security Tyler Moore University of Tulsa, OK

The Economics of Retail Payment Security Tyler Moore University of Tulsa, OK tyler-moore@utulsa.edu CS 7403 Secure Electronic Commerce Outline Key Economic Principles for Retail Payments Security 1 Game Theory 2 Applying Game Theory to

756 views • 61 slides
Improving Risk Management in Software Production - from theory to practice FINESSE SPI 13.4.1999

Improving Risk Management in Software Production - from theory to practice FINESSE SPI 13.4.1999

Improving Risk Management in Software Production - from theory to practice FINESSE SPI 13.4.1999 CCC Software Professionals Jouko Luukas What is RISK? Risk is defined as the potential of occurrences that would be detrimental to the

433 views • 9 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 &amp; 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no

practice theory for social change practice theory is not for social change in itself it has no internal normative content practice theory for understanding social change well demonstrated as enabling distinctive insight into change

536 views • 24 slides
Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December

Side-channel bas ed Collision Attacks, Theory to Att k Th t o Practice P ti 3. December 2010 Amir Moradi E Embedded Security Group, Ruhr University Bochum b dd d S it G R h U i it B h m, Germany G Embedded Security Group Outline

495 views • 26 slides
University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs Theory and Practice A key problem is someones theory is someone elses practice,

1.66k views • 68 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Database Management Systems Session 8 Instructor: Vinnie Costa vcosta@optonline.net CSC056-Z1

Database Management Systems Session 8 Instructor: Vinnie Costa vcosta@optonline.net CSC056-Z1

Database Management Systems Session 8 Instructor: Vinnie Costa vcosta@optonline.net CSC056-Z1 Database Management Systems Vinnie Costa Hofstra University 1 Its All In The Presentation!!! After a summer-long delay, Eastman

697 views • 59 slides
EMERGENCY MANAGER REPORT DISTRESSED UNIT APPEALS BOARD (DUAB) March 2, 2018 Prepared by Distressed

EMERGENCY MANAGER REPORT DISTRESSED UNIT APPEALS BOARD (DUAB) March 2, 2018 Prepared by Distressed

EMERGENCY MANAGER REPORT DISTRESSED UNIT APPEALS BOARD (DUAB) March 2, 2018 Prepared by Distressed Unit Appeals Board Emergency Manager Report Prepared by Gary Schools Recovery, LLC March 2, 2018 TABLE OF CONTENTS 2 1.0 RECOMMENDATION OF

432 views • 19 slides
A Survey of Concurrency Constructs Ted Leung Sun Microsystems ted.leung@sun.com @twleung 16

A Survey of Concurrency Constructs Ted Leung Sun Microsystems ted.leung@sun.com @twleung 16

A Survey of Concurrency Constructs Ted Leung Sun Microsystems ted.leung@sun.com @twleung 16 threads 128 threads Todays model Threads Program counter Own stack Shared Memory Locks Some of the problems Locks

746 views • 55 slides
Rhetorical Questions http://www.printwand.com/blog/should-you-use-rhetorical-

Rhetorical Questions http://www.printwand.com/blog/should-you-use-rhetorical-

Rhetorical Questions http://www.printwand.com/blog/should-you-use-rhetorical- questions-in-advertising Introduction The purpose of this PowerPoint is to introduce the use of rhetorical questions as a language technique. By the end of this

563 views • 18 slides
Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems

www.immobilienscout24.de Be Fast Or Stay Behind Building a Continuous Delivery Platform Schlomo Schapiro, Systems Architect &amp; Open Source Evangelist Ingmar Krusch, Team Lead in Operations License:

552 views • 37 slides
Spark: A Coding Joyride Visualizing and plotting data Create a machine-learning pipeline

Spark: A Coding Joyride Visualizing and plotting data Create a machine-learning pipeline

11/16/2015 Objectives Show Spark's ability to rapidly process Big Data Extracting information with RDDs Querying data using DataFrames Spark: A Coding Joyride Visualizing and plotting data Create a machine-learning pipeline

173 views • 6 slides
Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National

Secure Enhanced Linux Julian Richen SELinux? Started as a research project from the National Security Agency (NSA) A set of patches using the Linux Security Modules (LSM) Hardening GNU/Linux systems with extra security policies and

349 views • 15 slides
Great Lakes Observing System GLOS DMAC Infrastructure Hardware Server

Great Lakes Observing System GLOS DMAC Infrastructure Hardware Server

IOOS Regional Product Developers Workshop Great Lakes Observing System GLOS DMAC Infrastructure Hardware Server 1(Web/FTP/Application) x86_64 2* 4 Xeon CPU, 16GB RAM 300 GB RAID 1 Server 2(New Purchase) x86_64 4* 4 Xeon CPU,

351 views • 18 slides

More recommend