42 lines
2.5 KiB
BibTeX
42 lines
2.5 KiB
BibTeX
|
|
@Article{ dashevskyi.ea:vulnerability-screening:2018,
|
|
abstract = {Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source
|
|
applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this
|
|
an application must decide whether to update the FOSS component, patch the application itself, or just
|
|
do nothing as the vulnerability is not applicable to the older version of the FOSS component used.
|
|
This is particularly challenging for enterprise software vendors that consume thousands of FOSS
|
|
components and offer more than a decade of support and security fixes for their applications.
|
|
Moreover, customers expect vendors to react quickly on disclosed vulnerabilities---in case of widely
|
|
discussed vulnerabilities such as Heartbleed, within hours.\\\\To address this challenge, we propose a
|
|
screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a
|
|
given vulnerability is present in a consumed FOSS component by looking across its entire repository.
|
|
We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring
|
|
Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits
|
|
and hundred thousands lines of code in a matter of minutes.\\\\Further, we provide insights on the
|
|
empirical probability that, on the above mentioned projects, a potentially vulnerable component might
|
|
not actually be vulnerable after all.},
|
|
author = {Stanislav Dashevskyi and Achim D. Brucker and Fabio Massacci},
|
|
doi = {10.1109/TSE.2018.2816033},
|
|
journal = {{IEEE} Trans. Software Eng.},
|
|
keywords = {Security maintenance; Security vulnerabilities; Free and Open Source Software},
|
|
language = {USenglish},
|
|
month = {oct},
|
|
number = 10,
|
|
pages = {945--966},
|
|
pdf = {https://www.brucker.ch/bibliography/download/2018/dashevskyi.ea-vulnerability-screening-2018.pdf},
|
|
title = {A Screening Test for Disclosed Vulnerabilities in {FOSS} Components},
|
|
url = {https://www.brucker.ch/bibliography/abstract/dashevskyi.ea-vulnerability-screening-2018},
|
|
volume = 45,
|
|
year = 2019
|
|
}
|
|
|
|
@Book{ nipkow.ea:concrete:2014,
|
|
author = {Tobias Nipkow and Gerwin Klein},
|
|
title = {Concrete Semantics - With Isabelle/HOL},
|
|
publisher = {Springer},
|
|
year = 2014,
|
|
doi = {10.1007/978-3-319-10542-0},
|
|
isbn = {978-3-319-10541-3},
|
|
timestamp = {Fri, 02 Nov 2018 09:27:06 +0100}
|
|
}
|