Final published version
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - User-centric security assessment of software configurations
T2 - A case study
AU - Ghani, H.
AU - Luna Garcia, J.
AU - Petkov, I.
AU - Suri, Neeraj
PY - 2014
Y1 - 2014
N2 - Software systems are invariably vulnerable to exploits, thus the need to assess their security in order to quantify the associated risk their usage entails. However, existing vulnerability assessment approaches e.g., vulnerability analyzers, have two major constraints: (a) they need the system to be already deployed to perform the analysis and, (b) they do not consider the criticality of the system within the business processes of the organization. As a result, many users, in particular small and medium-sized enterprizes are often unaware about assessing the actual technical and economical impact of vulnerability exploits in their own organizations, before the actual system's deployment. Drawing upon threat modeling techniques (i.e., attack trees), we propose a user-centric methodology to quantitatively perform a software configuration's security assessment based on (i) the expected economic impact associated with compromising the system's security goals and, (ii) a method to rank available configurations with respect to security. This paper demonstrates the feasibility and usefulness of our approach in a real-world case study based on the Amazon EC2 service. Over 2000 publicly available Amazon Machine Images are analyzed and ranked with respect to a specific business profile, before deployment in the Amazon's Cloud. © 2014 Springer International Publishing Switzerland.
AB - Software systems are invariably vulnerable to exploits, thus the need to assess their security in order to quantify the associated risk their usage entails. However, existing vulnerability assessment approaches e.g., vulnerability analyzers, have two major constraints: (a) they need the system to be already deployed to perform the analysis and, (b) they do not consider the criticality of the system within the business processes of the organization. As a result, many users, in particular small and medium-sized enterprizes are often unaware about assessing the actual technical and economical impact of vulnerability exploits in their own organizations, before the actual system's deployment. Drawing upon threat modeling techniques (i.e., attack trees), we propose a user-centric methodology to quantitatively perform a software configuration's security assessment based on (i) the expected economic impact associated with compromising the system's security goals and, (ii) a method to rank available configurations with respect to security. This paper demonstrates the feasibility and usefulness of our approach in a real-world case study based on the Amazon EC2 service. Over 2000 publicly available Amazon Machine Images are analyzed and ranked with respect to a specific business profile, before deployment in the Amazon's Cloud. © 2014 Springer International Publishing Switzerland.
KW - Cloud Security
KW - Economics of Security
KW - Security Metrics
KW - Security Quantification
KW - Vulnerability Assessment
KW - Economic and social effects
KW - Cloud securities
KW - Economical impact
KW - Security assessment
KW - Security metrics
KW - Software configuration
KW - Vulnerability analyzers
KW - Vulnerability assessments
KW - Security of data
U2 - 10.1007/978-3-319-04897-0_13
DO - 10.1007/978-3-319-04897-0_13
M3 - Conference contribution/Paper
SN - 9783319048963
VL - 8364 LNCS
SP - 196
EP - 212
BT - Engineering Secure Software and Systems
PB - Springer-Verlag
ER -