For this week’s conference, respond to the following:
- Find an article in an IEEE or ACM journal about security. Read and summarize the article, and give us your reactions to the article. Be sure to include a good citation to the article.
- You are welcome to comment (nicely!) on the postings of other students.
Respond to Joseph:
I read an article by Pete Rotella of Cisco Systems, Inc. titled “Software Security Vulnerabilities: Baselining and Benchmarking.” The article describes an investigation into Cisco Systems, Inc.’s Software Development Lifecycle (SDLC) practices and processes to see if they are effective at keeping vulnerabilities, and the vulnerability severities, low. Of particular interest was learning about software vulnerabilities stemming from the Open Source Software that was used in the company products.
The reason for the investigation is to establish baselines and benchmarking for the state of Cisco’s software security. It was mentioned that there were not historical baselines and internal benchmarks so the company was unable to gauge how well the development teams were doing at managing the levels of security vulnerabilities in Cisco software products. The company hoped to use the baseline and benchmark data to enable it to:
- Reduce the number of high-severity vulnerabilities in their software products
- Reduce the total number of vulnerabilities of a severity levels
- Identify engineering practices and processes that are effective in reducing vulnerabilities
- Identify engineering practices and processes that are not very effective with the intent to modify, replace or eliminate the practices or processes.
- Improve on ways to promulgate SDLC best practices (Rotella, 2018)
By reviewing Security Impact Ratings (SIR), the company was able to quantify vulnerability levels and severities in certain Cisco products. The company uses the SIR rating system to “cluster the security vulnerability severities and thereby enable us to better clarify the aggregate trends and also simplify the overall analysis. (Rotella, 2018)”
Some of the interesting conclusions to the investigation included:
- Critical plus High SIR-rated bugs have increased in volume by almost four times over the previous two years.
- Customer Found Defects (CFD) are three to four times more likely than Internally Found Defects (IFD) to be SIR-rated critical or high.
- Third-Party Software (TPS) critical plus high SIR bug volume has increased by approximately 130% over the previous two years. TPS code is now 6.3 times more likely to receive a critical plus high SIR rating than internally developed code (Rotella, 2018).
This article is a good example of why baselining and benchmarking are important for software development. A thorough review of the SDLC can help identify weaknesses in the SDLC, third-party and open source software vulnerabilities and provide insight into how to reduce the vulnerability levels and produce higher quality software. Because of the speed of technological advances, there are many consequences to pay for just going with the flow and not actively looking at the effectiveness of your software engineering and SDLC processes.
References
Rotella, P. (May 2018). Software Security Vulnerabilities: Baselining and Benchmarking[Paper presentation]. 2018 ACM/IEEE 1st International Workshop on Security Awareness from Design to Deployment, Gothenburg, Sweden
0 comments