Journal Article10.1109/ACCESS.2022.3185069
Automated Risk Management based Software Security Vulnerabilities Management
Raghavendra Rao Althar,Debabrata Samanta,Manjit Kaur,Dilbag Singh,Heung-No Lee +4 more
- Vol. PP, pp 1-1
TL;DR: CWE (Common Weaknesses Enumeration) mapping from industry knowledge are leveraged to validate the security needs from the industry perspective to get a holistic picture of the software system’s security.
read more
Abstract: An automated risk assessment approach is explored in this work. The focus is to optimize the conventional threat modeling approach to explore software system vulnerabilities. Data produced in the software development processes are better leveraged using Machine Learning approaches. A large amount of industry knowledge around security vulnerabilities can be leveraged to enhance current threat modeling approaches. Work done here is in the ecosystem of software development processes that use Agile methodology. Insurance business domain data are explored as a target for this study. The focus is to enhance the traditional threat modeling approach with a better quantitative approach and reduce the biases introduced by the people who are part of software development processes. This effort will help bridge multiple data sources prevalent across the software development ecosystem. Bringing these various data sources together will assist in understanding patterns associated with security aspects of the software systems. This perspective further helps to understand and devise better controls. Approaches explored so far have considered individual areas of software development and their influence on improving security. There is a need to build an integrated approach for a total security solution for the software systems. A wide variety of machine learning approaches and ensemble approaches will be explored. The insurance business domain is considered for the research here. CWE (Common Weaknesses Enumeration) mapping from industry knowledge are leveraged to validate the security needs from the industry perspective. This combination of industry and company data will help get a holistic picture of the software system’s security. Combining the industry and company data helps lay down the path for an integrated security management system in software development. The risk management framework with the quantitative threat modeling process is the work’s uniqueness. This work contributes towards making the software systems secure and robust with time.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Towards the Integration of Security Practices in Agile Software Development: A Systematic Mapping Review
TL;DR: In this article , the authors survey the literature for methods or models suitable for considering the integration of security in all or some of the phases of the software development life cycle and which ones are most considered or neglected.
Secure software design evaluation and decision making model for ubiquitous computing: A two-stage ANN-Fuzzy AHP approach
Abdulrahman Alzahrani,Rafiq Ahmad Khan +1 more
TL;DR: This study develops a two-stage ANN-Fuzzy AHP model for evaluating and deciding secure software design in ubiquitous computing, prioritizing 50 secure design practices and identifying the most significant threat as "failure to adhere to accepted security design principles".
6
Identifying Key Activities, Artifacts and Roles in Agile Engineering of Secure Software with Hierarchical Clustering
TL;DR: In this paper , the authors identified seven key activities (i.e., security auditing, security analysis and testing, security training, security prioritization and monitoring, risk management, security planning and threat modeling; and security requirements engineering), five key artifacts (i., security requirement artifacts, security repositories, security reports, security tags, and security policies), and four key roles (e.g., security guru, security developer, penetration tester and security team) in AESS.
Towards Challenges Faced in Agile Risk Management Practices
Md. Abdul Wassay
- 26 Apr 2023
TL;DR: In this article , a study of challenges with risk management is initially presented and the attitudes towards these issues are then elaborated, building on the features of how these challenges can be solved.
2
Practices and challenges of threat modelling in agile environments
Paul Theurich,Josepha Witt,Sebastian Richter +2 more
TL;DR: A valuable artefact is proposed for practitioners by mapping challenges and practices to the agile SDLC and by creating a matrix highlighting how the practices address the challenges of TM in an agile environment.
1
References
Machine Learning Models for Secure Data Analytics: A taxonomy and threat model
TL;DR: This paper explored Machine Learning (ML) and Deep Learning (DL)-based models and techniques which are capable off to identify and mitigate both the known as well as unknown attacks and proposed a DL and ML-based Secure Data Analytics (SDA) architecture to classify normal or attack input data.
185
An empirical study on using the national vulnerability database to predict software vulnerabilities
Su Zhang,Doina Caragea,Xinming Ou +2 more
- 29 Aug 2011
TL;DR: An empirical study on applying data-mining techniques on NVD data with the objective of predicting the time to next vulnerability for a given software application, showing that the data in NVD generally have poor prediction capability.
173
An automated approach for identifying potential vulnerabilities in software
A.K. Ghosh,T. O'Connor,G. McGraw +2 more
- 03 May 1998
TL;DR: Results from analyzing the vulnerability of security-critical software applications to malicious threats and anomalous events using an automated fault injection analysis approach are presented.
113
Deep Cybersecurity: A Comprehensive Overview from Neural Network and Deep Learning Perspective
Iqbal H. Sarker,Iqbal H. Sarker +1 more
- 16 Feb 2021
TL;DR: A comprehensive overview of popular deep learning techniques according to today’s diverse needs is presented to serve as a reference point and guidelines for the academia and professionals in the cyber industries, especially from the deep learning point of view.
The promise of machine learning in cybersecurity
James B. Fraley,James Cannady +1 more
- 01 Mar 2017
TL;DR: How machine learning can be used to detect and highlight advanced malware for cyber defense analysts is described and the results of the initial research and a discussion of future research to extend machine learning is presented.
88