Sandy Clark
ABSTRACT
Software engineering practices strongly affect the security of the code produced. The increasingly popular Rapid Release Cycle (RRC) development methodology and easy network software distribution have enabled rapid feature introduction. RRC's defining characteristic of frequent software revisions would seem to conflict with traditional software engineering wisdom regarding code maturity, reliability and reuse, as well as security. Our investigation of the consequences of rapid release comprises a quantitative, data-driven study of the impact of rapid-release methodology on the security of the Mozilla Firefox browser. We correlate reported vulnerabilities in multiple rapid release versions of Firefox code against those in corresponding extended release versions of the same system; using a common software base with different release cycles eliminates many causes other than RRC for the observables. Surprisingly, the resulting data show that Firefox RRC does not result in higher vulnerability rates and, further, that it is exactly the unfamiliar, newly released software (the "moving targets") that requires time to exploit. These provocative results suggest that a rethinking of the consequences of software engineering practices for security may be warranted.
- O.H. Alhamzi and Y.K. Malaiya. Application of vulnerability discovery models to major operating systems. IEEE Transactions on Reliability, 57:14--22, 2008.Google Scholar
Cross Ref
- Ali Almossawi. How maintainable is the Firefox codebase?, May 2013. http://almossawi.com/firefox/prose/.Google Scholar
- William A. Arbaugh, William L. Fithen, and John McHugh. Windows of vulnerability: A case study analysis. Computer, 33(12):52--59, 2000. Google ScholarDigital Library
- Baker, Mitchell. Mozilla Blog. http://blog.lizardwrangler.com/2011/08/25/rapid-release-process/.Google Scholar
- Kent Beck, Mike Beedle, Arie van Bennekum, Alistair Cockburn, Ward Cunningham, Martin Fowler, James Grenning, Jim Highsmith, Andrew Hunt, Ron Jeffries, Jon Kern, Brian Marick, Robert C. Martin, Steve Mellor, Ken Schwaber, Jeff Sutherland, and Dave Thomas. Manifesto for Agile Software Development, 2001. http://www.agilemanifesto.org/.Google Scholar
- Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM, 53(2):66--75, 2010. Google ScholarDigital Library
- Konstantin Beznosov and Philippe Kruchten. Towards agile security assurance. In Proceedings of the 2004 Workshop on New Security Paradigms, pages 47--54. ACM, 2004. Google ScholarDigital Library
- B. W. Boehm. A spiral model of software development and enhancement. IEEE Computer, 20(5):43--57, May 1985. Google ScholarDigital Library
- Barry Boehm, Bradford Clark, Ellis Horowitz, Chris Westland, Ray Madachy, and Richard Selby. Cost models for future software life cycle processes: COCOMO 2.0. Annals of Software Engineering, 1:57--94, 1995.Google ScholarCross Ref
- Brink, DerekA. Security and the Software Development Lifecycle: Secure at the Source. download.microsoft.com/download/9/D/4/9D403333-C4F6--4770-A330--89661BE545CF/Aberdeen_ SecureSource.pdf.Google Scholar
- Frederick P. Brooks. The Mythical Man-Month: Essays on Software Engineering, 20th Anniversary Edition. Addison-Wesley Professional, August 1995. Google ScholarDigital Library
- Frederick P. Brooks. The Mythical Man-Month: Essays on Software Engineering, 20th Anniversary Edition. Addison-Wesley Professional, August 1995. http://www.amazon.ca/exec/obidos/redirect?tag=citeulike09--20&path=ASIN/0201835959.Google ScholarDigital Library
- Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith. Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC'10, pages 251--260, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- Peter Coad, Eric LeFebrve, and Jeff De Luca. Feature-driven development. Java Modeling in Color with UML, pages 182--203, 1999.Google Scholar
- Michael Coates. Security Evolution - Bug Bounty Programs for Web Applications, September 2011. http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web.Google Scholar
- Kieran Conboy. Toward a conceptual framework of agile methods: a study of agility in different disciplines. In Extreme Programming And Agile Methods - XP/ Agile Universe 2004, Proceedings, pages 37--44. ACM Press, 2004. Google ScholarDigital Library
- Forrester Consulting. State of Application Security: Immature Practices Fuel Inefficiencies, but Positive ROI Is Attainable - A Forrester Consulting Thought Leadership Paper Commissioned by Microsoft. 2011. http://www.microsoft.com/en-us/download/details.aspx?id=2629.Google Scholar
- Microsoft Corporation. Microsoft Security Development Lifecycle for Agile. 2009. http://www.microsoft.com/security/sdl/discover/sdlagile-onetime.aspx.Google Scholar
- Microsoft Corporation. http://www.microsoft.com/en-us/news/speeches/2013/06--26build2013.aspx, 2013.Google Scholar
- Common Criteria. Common Criteria for Information Technology Security Evaluation. Technical report, September 2012.Google Scholar
- Michael A. Cusumano and Richard W. Selby. How Microsoft builds software. Communications of the ACM, 40:53--61, June 1997. Google ScholarDigital Library
- CVE. Common vulnerabilities and exposures. http://cve.mitre.org, 2008.Google Scholar
- M. Finifter, D. Akhawe, and D. Wagner. An Empirical Study of Vulnerability Reward Programs. In 22nd USENIX Security Symposium, 2013. Google ScholarDigital Library
- Mozilla Foundation. Mozilla firefox esr overview, 2014. https://www.mozilla.org/en-US/firefox/ organizations/faq/.Google Scholar
- Rajeev Gopalakrishna and Eugene H. Spafford. A trend analysis of vulnerabilities. CERIAS Tech Report 2005-05, May 2005.Google Scholar
- Duncan Harris. Oracle Software Security Assurance. Technical report, 2014. http://www.oracle.com/us/ support/assurance/overview/index.html.Google Scholar
- Jim Highsmith. Adaptive software development: a collaborative approach to managing complex systems. Addison-Wesley, 2013.Google Scholar
- Michael Howard and Steve Lipner. The Security Development Lifecycle. Microsoft Press, May 2006. Google ScholarDigital Library
- Pankaj Jalote, Brendan Murphy, and Vibhu Saujanya Sharma. Post-release reliability growth in software products. ACM Trans. Softw. Eng. Methodol., 17(4):1--20, 2008. Google ScholarDigital Library
- George Jelen. Sse-cmm security metrics. In NIST and CSSPAB Workshop, 2000.Google Scholar
- E. Jonsson and T. Olovsson. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering, 23(4):235--245, Apr 1997. Google ScholarDigital Library
- Hossein Keramati and S-H Mirian-Hosseinabadi. Integrating software development security activities with agile methodologies. In Computer Systems and Applications, 2008. AICCSA 2008. IEEE/ACS International Conference on, pages 749--754. IEEE, 2008. Google ScholarDigital Library
- Foutse Khomh, Tejinder Dhaliwal, Ying Zou, and Bram Adams. Do Faster Releases Improve Software Quality? An Empirical Case Study of Mozilla Firefox. In Mining Software Repositories, 2012 9th Working Conference, Kingston, Ontario, Canada, June 2012. Google ScholarDigital Library
- Anthony Laforge. Release Early, Release Often, July 2010. http://blog.chromium.org/2010/07/ release-early-release-often.html.Google Scholar
- Gary McGraw. Software Security Touchpoint: Architectural Risk Analysis. Technical report, 2010. http://www.cigital.com/presentations/ARA10.pdf.Google Scholar
- Gary McGraw and Brian Chess. The building security in maturity model(bsimm). In Proceedings of the 18th USENIX Security Symposium (USENIX Security '09), Montreal, Canada, August 2009.Google Scholar
- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, and Kishore Gopalan. Security Guidelines for .NET Framework Version 2.0. Technical report, October 2005. http://msdn. microsoft.com/en-us/library/aa480477.aspx.Google Scholar
- Mozilla. Bugzilla@Mozilla. https://bugzilla.mozilla.org/, September 2013.Google Scholar
- Mozilla. Mozilla Foundation Security Advisories. https://www.mozilla.org/security/announce/, September 2013.Google Scholar
- John D. Musa. A theory of software reliability and its application. IEEE Transactions on Security Engineering, SE-1:312--327, September 1975. Google ScholarDigital Library
- John D. Musa, Anthony Iannino, and Kasuhira Okumoto. Software Reliability: Measurement, Prediction, Application. McGraw-Hill, 1987. Google ScholarDigital Library
- Johnathan Nightingale. Mozilla blog post future releases, 2011. https://blog.mozilla.org/ futurereleases/2011/07/19/every-six-weeks/.Google Scholar
- NIST. National Vulnerability Database. http://nvd.nist.gov, 2008.Google Scholar
- Department of Homeland Security. SECURITY IN THE SOFTWARE LIFECYCLE: Making Software Development Processes{ and Software Produced by Them{ More Secure. 2006. http://resources.sei.cmu.edu/asset_files/ WhitePaper/2006_019_001_52113.pdf.Google Scholar
- Andy Ozment. Improving vulnerability discovery models. In QoP '07: Proceedings of the 2007 ACM Workshop on Quality of Protection, pages 6--11, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- Andy Ozment and Stuart E. Schechter. Milk or wine: does software security improve with age? In USENIX-SS'06: Proceedings of the 15th USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association. Google ScholarDigital Library
- Robert C. Seacord. Secure Coding in C and C++. Addison-Wesley Professional, June 2008. Google ScholarDigital Library
- Mikko Siponen, Richard Baskerville, and Tapio Kuivalainen. Integrating security into agile development methods. In System Sciences, 2005. HICSS'05. Proceedings of the 38th Annual Hawaii International Conference on, pages 185a--185a. IEEE, 2005. Google ScholarDigital Library
- Gregory Tassey. The economic impacts of inadequate infrastructure for software testing. 2002.Google Scholar
- John Viega. Building Security Requirements with CLASP. In Proc. ACM SESS, pages 1--7, 2005. Google ScholarDigital Library
- Jaana Wäyrynen, Marine Boden, and Gustav Bostrom. Security engineering and extreme programming: An impossible marriage? In Extreme programming and agile methods-XP/Agile Universe 2004, pages 117--128. Springer, 2004.Google Scholar
- Carol Woody. Agile security review of current research and pilot usages. SEI Library White Paper, 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=70232.Google Scholar
Index Terms
- Moving Targets: Security and Rapid-Release in Firefox
Recommendations
Using an object-oriented software life-cycle model in the software engineering course
An object-oriented software life-cycle model, the Modified Spiral Model, was successfully used as the software process in the software engineering course in the Department of Computer Science, California State University, San Bernardino. The model lends ...
Using an object-oriented software life-cycle model in the software engineering course
SIGCSE '98: Proceedings of the twenty-ninth SIGCSE technical symposium on Computer science educationAn object-oriented software life-cycle model, the Modified Spiral Model, was successfully used as the software process in the software engineering course in the Department of Computer Science, California State University, San Bernardino. The model lends ...
Teaching software engineering in the adult education environment
SIGCSE '81: Proceedings of the twelfth SIGCSE technical symposium on Computer science educationTeaching the evolving subject of software engineering has only recently been explored in the literature within the last five years. In a university-level, evening school environment, problems in the area of software engineering education arise due to 1) ...
Comments