A Study on effectiveness of software vulnerability assessment for component-based software development

Abstract

Security is an essential aspect for software development as many critical and vital functions, systems and services are now controlled by software. Operating systems to middleware to applications, integrated systems to embedded systems to firmware, and networks of all sizes and complexities are now controlled and managed by software. Thus, assurance of security in such software and thereby the protection of sensitive data is essential. Due to the complexity, scalability and maintainability factors, the software industry is moving rapidly towards component-based systems development where various artefacts are integrated to achieve a variety of functionality. This integration occurs in different phases in the life cycle of a system and usually at a rapid pace. Therefore, it is doubtful if the correct level of emphasis is placed in the development process to assure the security of composing a system with such diverse components, even if they have a high level of security individually. While there are many tools to test the potential for exploitation of vulnerabilities in software systems, these tools are most often optimized to test certain application scenarios, development phases, and specific software categories or methodologies. Therefore, with the increasing use of composed development of software systems and also the expansion in the tools and techniques available for software vulnerability exploitation, it is vital to evaluate the effectiveness of existing vulnerability assessment scheme on composed software development. This research is focused on determining the direction for improved effectiveness of software vulnerability tools in the composed system development paradigm.