Fig 14 - uploaded by Sven Peldszus
Content may be subject to copyright.
Source publication
Ontologies as a means to formally specify the knowledge of a domain of interest have made their way into information and communication technology. Most often, such knowledge is subject to continuous change, which demands for consistent evolution of ontologies and dependent artifacts. In this article, we study ontology evolution in the context of so...
Citations
... To overcome non-integrated solutions, for ensuring security compliance, we connect design-time security with implementation-level security. The presented automation allows us to effectively check security at low cost by allowing security experts to only specify security requirements once in combination with an automated propagation based on our tracing mechanism (RQ3) [1,25,34,44]. We leverage design-time security requirements for static and dynamic implementation-level security checks. ...
... To detect security violations after changes, we introduce security violation patterns that encode implementation-level security checks against design-time security requirements as graph patterns (RQ4) [34]. Especially, we discuss their incremental execution for efficiently verifying security compliance instead of full-security compliance checks. ...
To ensure the security of a software system, it is vital to keep up with changing security precautions, attacks, and mitigations. Although model-based development enables addressing security already at design-time, design models are often inconsistent with the implementation or among themselves. Such inconsistencies hinder the effective realization and verification of secure software systems. In addition, variants of software systems are another burden to developing secure systems. Vulnerabilities must be identified and fixed on all variants or else attackers could be well-guided in attacking unfixed variants. To ensure security in this context, in the thesis (Peldszus, Security Compliance in Model-driven Development of Software Systems in Presence of Long-Term Evolution and Variants. Springer, Berlin; 2022), we present GRaViTY, an approach that allows security experts to specify security requirements on the most suitable system representation. To preserve security, based on continuous automated change propagation, GRaViTY automatically checks all system representations against these security requirements. To systematically improve the object-oriented design of a software-intensive system, GRaViTY provides security-preserving refactorings. For both continuous security compliance checks and refactorings, we show the application to variant-rich software systems. To support legacy systems, GRaViTY allows to automatically reverse-engineer variability-aware UML models and semi-automatically map existing design models to the implementation. Besides evaluations of the individual contributions, we demonstrate applicability of the approach in two real-world case studies, the iTrust electronics health records system and the Eclipse Secure Storage. This book chapter provides a summary of the thesis, focusing on the addressed problems, identified and answered research questions, the general solution, and its application of it to two case studies. For details on the individual solutions, please refer to the thesis and the corresponding publications referenced in this book chapter.
... There are numerous works dedicated to the study of security ontologies from different phases and purposes of software engineering [12,17,28,29]. From the analysis and classification of security requirements [30][31][32] to the design and use of patterns [33,34] and tools [35,36]. ...
... Another effort was conducted by ATRI to develop automated testing and validation methods that address the challenges with regulatory agencies in conducting multicenter Alzheimer's disease and Alzheimer's disease-related dementias (AD/ADRDs) clinical trials [63]. Furthermore, Peldszus et al. [64] proposed incremental rule-based security violation patterns for security compliance checks. ...
... The S 2 C DevOps pipeline aims to both raise awareness of compliance issues in the context of DevOps and achieve compliance automation [61]. Peldszus et al. [64] also made a point in the lead time by proposing the solution of incremental security compliance checks. This solution suggests checking only the changed parts, therefore avoiding the re-execution of the entire compliance checks. ...
... Additional efforts for ensuring security compliance are required since security knowledge is evolving. In this regard, Peldszus et al. [64] provided prototypical implementation on ensuring security compliance on systems subject of expanded knowledge. On the other hand, the efforts for ensuring security compliance have given rise to several tools to facilitate the process (see "Compliance Tools"). ...
The software industry has witnessed a growing interest in DevSecOps due to the premises of integrating security in the software development lifecycle. However, security compliance cannot be disregarded, given the importance of adherence to regulations, laws, industry standards, and frameworks. This study aims to provide an overview of compliance aspects in the context of DevSecOps and explore how compliance is ensured. Furthermore, this study reveals the trends of compliance according to the extant literature and identifies potential directions for further research in this context. Therefore, we carried out a systematic literature review on the integration of compliance aspects in DevSecOps, which rigorously followed the guidelines proposed by Kitchenham and Charters. We found 934 articles related to the topic by searching five bibliographic databases (163) and Google Scholar (771). Through a rigorous selection process, we selected 15 papers as primary studies. Then, we identified the compliance aspects of DevSecOps and grouped them into three main categories: compliance initiation, compliance management, and compliance technicalities. We observed a low number of studies; therefore, we encourage further efforts into the exploration of compliance aspects, their automated integration, and the development of metrics to evaluate such a process in the context of DevSecOps.
... For instance, the famous Heartbleed bug, a vulnerability in the OpenSSL cryptographic library that affected billions of internet users, could have been prevented with two more lines of code [3]. To mitigate such flaws, constructive approaches to secure software engineering (e.g., modelbased secure software design [4][5][6] or up-to-date collections of well-known vulnerabilities and security guidelines [7]), need to be complemented by analytical quality assurance techniques for detecting vulnerabilities in source code. ...
Context
Identifying potential vulnerable code is important to improve the security of our software systems. However, the manual detection of software vulnerabilities requires expert knowledge and is time-consuming, and must be supported by automated techniques.
Objective
Such automated vulnerability detection techniques should achieve a high accuracy, point developers directly to the vulnerable code fragments, scale to real-world software, generalize across the boundaries of a specific software project, and require no or only moderate setup or configuration effort.
Method
In this article, we present Vudenc (Vulnerability Detection with Deep Learning on a Natural Codebase), a deep learning-based vulnerability detection tool that automatically learns features of vulnerable code from a large and real-world Python codebase. Vudenc applies a word2vec model to identify semantically similar code tokens and to provide a vector representation. A network of long-short-term memory cells (LSTM) is then used to classify vulnerable code token sequences at a fine-grained level, highlight the specific areas in the source code that are likely to contain vulnerabilities, and provide confidence levels for its predictions.
Results
To evaluate Vudenc, we used 1,009 vulnerability-fixing commits from different GitHub repositories that contain seven different types of vulnerabilities (SQL injection, XSS, Command injection, XSRF, Remote code execution, Path disclosure, Open redirect) for training. In the experimental evaluation, Vudenc achieves a recall of 78%–87%, a precision of 82%–96%, and an F1 score of 80%–90%. Vudenc’s code, the datasets for the vulnerabilities, and the Python corpus for the word2vec model are available for reproduction.
Conclusions
Our experimental results suggest that Vudenc is capable of outperforming most of its competitors in terms of vulnerably detection capabilities on real-world software. Comparable accuracy was only achieved on synthetic benchmarks, within single projects, or on a much coarser level of granularity such as entire source code files.
... Because of the properties of ontologies, they represent one of the solutions for cyber intelligence and a future research direction [8]. The potential of ontologies can be seen in different application areas, such as digital evidence review [9], software requirement and security issue detection [10], modeling of Internet of things design [11], security alert management [12], and as a standard for cyber threat sharing [13]. ...
Cybersecurity solutions are highly based on data analysis. Currently, it is not enough to make an automated decision; it also has to be explainable. The decision-making logic traceability should be provided in addition to justification by referencing different data sources and evidence. However, the existing security ontologies, used for the implementation of expert systems and serving as a knowledge base, lack interconnectivity between different data sources and computer-readable linking to the data source. Therefore, this paper aims to increase the possibilities of ontology-based cyber intelligence solutions, by presenting a security ontology structure for data storage to the ontology from different text-based data sources, supporting the knowledge traceability and relationship estimation between different security documents. The proposed ontology structure is tested by storing data of three text-based data sources, and its application possibilities are provided. The study shows that the structure is adaptable for different text data sources and provides an additional value related to security area extension.
... For instance, the famous Heartbleed bug, a vulnerability in the OpenSSL cryptographic library that affected billions of internet users, could have been prevented with two more lines of code [3]. To mitigate such flaws, constructive approaches to secure software engineering (e.g., modelbased secure software design [4][5][6] or up-to-date collections of well-known vulnerabilities and security guidelines [7]), need to be complemented by analytical quality assurance techniques for detecting vulnerabilities in source code. ...
Context: Identifying potential vulnerable code is important to improve the security of our software systems. However, the manual detection of software vulnerabilities requires expert knowledge and is time-consuming, and must be supported by automated techniques. Objective: Such automated vulnerability detection techniques should achieve a high accuracy, point developers directly to the vulnerable code fragments, scale to real-world software, generalize across the boundaries of a specific software project, and require no or only moderate setup or configuration effort. Method: In this article, we present VUDENC (Vulnerability Detection with Deep Learning on a Natural Codebase), a deep learning-based vulnerability detection tool that automatically learns features of vulnerable code from a large and real-world Python codebase. VUDENC applies a word2vec model to identify semantically similar code tokens and to provide a vector representation. A network of long-short-term memory cells (LSTM) is then used to classify vulnerable code token sequences at a fine-grained level, highlight the specific areas in the source code that are likely to contain vulnerabilities, and provide confidence levels for its predictions. Results: To evaluate VUDENC, we used 1,009 vulnerability-fixing commits from different GitHub repositories that contain seven different types of vulnerabilities (SQL injection, XSS, Command injection, XSRF, Remote code execution, Path disclosure, Open redirect) for training. In the experimental evaluation, VUDENC achieves a recall of 78%-87%, a precision of 82%-96%, and an F1 score of 80%-90%. VUDENC's code, the datasets for the vulnerabilities, and the Python corpus for the word2vec model are available for reproduction. Conclusions: Our experimental results suggest...
... Modeling the Data in software development 5 Bhatia et al. [2] , Valiente et al. [11] , Puchianu and Bautu [18] , Rocha et al. [19] , Beydoun et al. [20] Database and application integration 5 Asfand-E-Yar and Ali [3] , Junior et al. [4] , Petnga and Austin [21] , Takhom et al. [22] , Adnan and Afzal [23] Describe the knowledge using common vocabulary 6 Asfand-E-Yar and Ali [3] , Junior et al. [4] , Jannath and S [12] , Petnga and Austin [21] , Takhom et al. [22] , Adnan and Afzal [23] To Resolve Requirement change in Software Development 3 Alsanad et al. [14] , Gregorio et al. [24] Maintenance software testing 2 Popereshnyak and Vecherkovskaya [1] , García-Peñalvo et al. [13] Building the concept of software quality 1 Alsanad et al. [14] Developing systems in data integration 1 John et al. [25] Application pattern in software development 1 Deb et al. [26] Software development model 1 De Graaf et al. [27] Techniques for detecting changes to software systems 1 Peldszus et al. [28] Software development process 1 Abdalazeim and Meziane [29] Software data model 1 Dahling et al. [30] Software development data model process 1 Olszewska and Allison [31] Modeling software knowledge 1 Wen and Katt [32] Tools for building software 1 Stadnicki et al. [33] Technical model software 1 Zou et al. [34] Software engineering process 1 Murtazina and Avdeenko [35] Software development process 2 Wongthongtham et al. [36] , Ortega-Ordoñez et al. [37] Software measurement & systems Integration 1 Fonseca et al. [38] Real-time and dynamic ontology modeling of the IoT system 1 Chen et al. [15] Software engineering process 3 Orellana and Mandrick [39] , Wiebe and Chan [40] , Van Kervel et al. [41] Analyzing social media Big Data in Cloud 1 Chauhan et al. [42] Quality assessment & continuous improvement 1 Roldán-Molina et al. [16] Support of requirements engineering in agile software development 1 Murtazina and Avdeenko [43] Reverse engineering of conventional software 1 Bhatia et al. [2] Service-oriented system 1 Shen et al. [44] ISO Software engineering standards 1 Gonzalez-Perez et al. [17] 5. Management process in software development. ...
... A perfect multi-layer framework for analysis, threat intelligence and validation of security policies in computer systems has been described in work [42]. Later works [43,44,45] shows several new aspects of ontology driven evolution of the security-bydesign field. ...
This works considers challenges of building and usage a formal knowledge base (model), which unites the ATT&CK, CAPEC, CWE, CVE security enumerations. The proposed model can be used to learn relations between attack techniques, attack pattern, weaknesses, and vulnerabilities in order to build various threat landscapes, in particular, for threat modeling. The model is created as an ontology with freely available datasets in the OWL and RDF formats. The use of ontologies is an alternative of structural and graph based approaches to integrate the security enumerations. In this work we consider an approach of threat modeling with the data components of ATT&CK based on the knowledge base and an ontology driven threat modeling framework. Also, some evaluations are made, how it can be possible to use the ontological approach of threat modeling and which challenges this can be faced.
