Tracking known security vulnerabilities in proprietary software systems

Author

Cadariu, Mircea ; Bouwers, Eric ; Visser, Joost ; Van Deursen, Arie

Author_Institution

Software Improvement Group, Netherlands

fYear

2015

fDate

2-6 March 2015

Firstpage

516

Lastpage

519

Abstract

Known security vulnerabilities can be introduced in software systems as a result of being dependent upon third-party components. These documented software weaknesses are “hiding in plain sight” and represent low hanging fruit for attackers. In this paper we present the Vulnerability Alert Service (VAS), a tool-based process to track known vulnerabilities in software systems throughout their life cycle. We studied its usefulness in the context of external software product quality monitoring provided by the Software Improvement Group, a software advisory company based in Amsterdam, the Netherlands. Besides empirically assessing the usefulness of the VAS, we have also leveraged it to gain insight and report on the prevalence of third-party components with known security vulnerabilities in proprietary applications.

Keywords

outsourcing; safety-critical software; software houses; software quality; Amsterdam; Netherlands; VAS usefulness assessment; documented software weaknesses; empirical analysis; external software product quality monitoring; known security vulnerability tracking; proprietary applications; proprietary software systems; software advisory company; software improvement group; software life cycle; software systems; third-party components; tool-based process; vulnerability alert service; Companies; Context; Java; Monitoring; Security; Software systems;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Analysis, Evolution and Reengineering (SANER), 2015 IEEE 22nd International Conference on

Conference_Location

Montreal, QC

Type

conf

DOI

10.1109/SANER.2015.7081868

Filename

7081868