Derivation of metrics for effective evaluation of vulnerability assessment technology

Ammala, Darwin Edward

08 May 2004

Vulnerability in software receives constant attention in the media and in research. Yearly rates of disclosure of vulnerabilities in software have doubled. The discipline of Information Assurance lacks metrics that are useful in understanding vulnerability. In the problem of vulnerability assessment tool selection, users must make product choices based on results found in non-peer reviewed publications or subjective opinion. Users of vulnerability assessment tools must sift through volumes of data about their systems and are shown broad indications of the severity of the problems ? often a high-medium-low ranking, which varies between tools. A need exists for metrics and a selection model for tool quality assessment. This study addresses these needs by analysis of the discipline of vulnerability assessment and remediation from first principles, and presents an organized approach and a bestit metrics based model for selecting vulnerability assessment tools.

infosec

scanning tools

security audit

selection criteria

Automatic Detection of Security Deficiencies and Refactoring Advises for Microservices

Ünver, Burak

January 2023

The microservice architecture enables organizationsto shorten development cycles and deliver cloud-native applicationsrapidly. However, it also brings security concerns thatneed to be addressed by developers. Therefore, security testingin microservices becomes even more critical. Recent researchpapers indicate that security testing of microservices is oftenneglected for reasons such as lack of time, lack of experience inthe security domain, and absence of automated test environments.Even though several security scanning tools exist to detectcontainer, containerized workload management (Kubernetes),and network issues, none individually is sufficient to cover allsecurity problems in microservices. Using multiple scanning toolsincreases the complexity of analyzing findings and mitigatingsecurity vulnerabilities. This paper presents a fully automatedtest tool suite that can help developers address security issuesin microservices and resolve them. It targets to reduce timeand effort in security activities by encapsulating open-sourcescanning tools into one suite and providing improved feedback.The developed security scanning suite is named Pomegranate.To develop Pomegranate, we employed Design Science andconducted our investigation in Ericsson. We have evaluated ourtool using a static approach. The evaluation results indicate thatthe Pomegranate could be helpful to developers by providingsimplified and classified outputs for security vulnerabilities inmicroservices. More than half of the practitioners who give usfeedback found Pomegranate helpful in detecting and mitigatingsecurity problems in microservices. We conclude that a fullyautomated test tool suite can help developers to address mostsecurity issues in microservices. Based on the findings in thispaper, the direction for future work is to conduct a dynamicvalidation of Pomegranate in a live project.

Microservices

Security

Kubernetes

Security Scanning Tools

Software Engineering

Programvaruteknik

Supplementing Dependabot’svulnerability scanning : A Custom Pipeline for Tracing DependencyUsage in JavaScript Projects

Karlsson, Isak, Ljungberg, David

January 2024

Software systems are becoming increasingly complex, with developers frequentlyutilizing numerous dependencies. In this landscape, accurate tracking and understanding of dependencies within JavaScript and TypeScript codebases are vital formaintaining software security and quality. However, there exists a gap in how existing vulnerability scanning tools, such as Dependabot, convey information aboutthe usage of these dependencies. This study addresses the problem of providing amore comprehensive dependency usage overview, a topic critical to aiding developers in securing their software systems. To bridge this gap, a custom pipeline wasimplemented to supplement Dependabot, extracting the dependencies identified asvulnerable and providing specific information about their usage within a repository.The results highlight the pros and cons of this approach, showing an improvement inthe understanding of dependency usage. The effort opens a pathway towards moresecure software systems.

Vulnerability scanning

Software Dependencies

JavaScript

TypeScript

Dependabot

Vulnerability Scanning Tools

Software Security

Pipeline

GitHub

Dependency Management

Computer Systems

Datorsystem