Beruflich Dokumente
Kultur Dokumente
Determined adversaries continue to have the up- the context of the conversation instead of an encryp-
per hand in their ability to attack cyber-intensive sys- tion key, nodes in a network develop a unique alter-
tems, often at will. Even the most causal perusal of native language to disguise the real meaning of the
industry reports reveals increasing attack frequency communication between them. The authors discuss
and business/mission consequences for affected or- the potential benefits and challenges in implementing
ganizations and individuals. Whether the focus is such a system.
traditional enterprise IT environments or cyber-
physical systems, the asymmetry between attackers In the final paper, Estimating Software Vulnera-
and defenders remains a serious problem. bility Counts in the Context of Cyber Risk Assess-
Against this backdrop, the goal of this minitrack ments, authors Thomas Llansó (Johns Hopkins Uni-
is to advance science foundations, technologies, and versity Applied Physics Laboratory and Dakota State
practices that can improve the security and dependa- University) and Martha McNeil (Johns Hopkins Uni-
bility of complex systems. The papers for the mini- versity Applied Physics Laboratory) develop and
track come at this goal from a diverse set of perspec- apply a metric to estimate the proportion of latent
tives, from protecting memory within machines, re- vulnerabilities to total vulnerabilities in a software
ducing vulnerabilities in distributed system interac- system. They then apply the metric to five scenarios
tions, deploying more powerful anomaly detection, involving software on the scale of operating systems.
and assisting cybersecurity engineers in addressing The findings suggest caution in interpreting the re-
cyber risk and related mitigations. sults of cyber risk methodologies that depend on
enumerating known software vulnerabilities because
In the first paper, An Empirical Study of Security
the number of unknown vulnerabilities in large-scale
Issues Posted in Open Source Projects, authors Man-
software tends to exceed known vulnerabilities.
sooreh Zahedi (IT University of Copenhagen),
Muhammad Ali Babar (University of Adelaide) and
Christoph Treude (University of Adelaide), aim to
empirically identify and understand the security is-
sues posted on a random sample of GitHub reposito-
ries. They use a mixed-methods approach, combin-
ing topic modeling techniques and qualitative analy-
sis. Their findings reveal that the rate of security-
related issues is rather small (approx. 3% of all is-
sues), and that the majority of the security issues are
related to identity management and cryptography
topics. The authors present seven high-level themes
of problems that developers face in implementing
security features.