User-Centric Security Assessment of Software Configurations: A Case Study [chapter]

Hamza Ghani, Jesus Luna Garcia, Ivaylo Petkov, Neeraj Suri
<span title="">2014</span> <i title="Springer International Publishing"> <a target="_blank" rel="noopener" href="" style="color: black;">Lecture Notes in Computer Science</a> </i> &nbsp;
Software systems are invariably vulnerable to exploits, thus the need to assess their security in order to quantify the associated risk their usage entails. However, existing vulnerability assessment approaches e.g., vulnerability analyzers, have two major constraints: (a) they need the system to be already deployed to perform the analysis and, (b) they do not consider the criticality of the system within the business processes of the organization. As a result, many users, in particular small
more &raquo; ... d medium-sized enterprizes are often unaware about assessing the actual technical and economical impact of vulnerability exploits in their own organizations, before the actual system's deployment. Drawing upon threat modeling techniques (i.e., attack trees), we propose a usercentric methodology to quantitatively perform a software configuration's security assessment based on (i) the expected economic impact associated with compromising the system's security goals and, (ii) a method to rank available configurations with respect to security. This paper demonstrates the feasibility and usefulness of our approach in a real-world case study based on the Amazon EC2 service. Over 2000 publicly available Amazon Machine Images are analyzed and ranked with respect to a specific business profile, before deployment in the Amazon's Cloud.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="">doi:10.1007/978-3-319-04897-0_13</a> <a target="_blank" rel="external noopener" href="">fatcat:kcj6ccrofvekpbj2iusxmzpayu</a> </span>
<a target="_blank" rel="noopener" href="" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href=""> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> </button> </a>