Abstract Details

<< Back to Schedule

9/27/2017  |   4:00 PM - 4:45 PM   |  Track 1 - Cyber Security

Assessing Software Supply Chain Risk Using Public Data

The software supply chain is a source of cybersecurity risk for many commercial and government organizations. Public data may be used to inform automated tools for detecting software supply chain risk during continuous integration and deployment. We link data from the National Vulnerability Database (NVD) with open version control data for the open source project OpenSSL, a widely used secure networking library that made the news when a significant vulnerability, Heartbleed, was discovered in 2014. We apply the Alhazmi-Malaiya Logistic (AML) model for software vulnerability discovery to this case. This model predicts a sigmoid cumulative vulnerability discovery function. Some versions of OpenSSL do not conform to the predictions of the model because they contain a temporary plateau in the cumulative vulnerability discovery distribution. This temporary plateau feature is an empirical signature of a security failure mode that may be useful in future studies of software supply chain risk.

This presentation has not yet been uploaded.

No handouts have been uploaded.

Sebastian Benthall (Primary Presenter,Author), Ion Channel, seb.benthall@ionchannel.io;
Sebastian Benthall is a data scientist at Ion Channel. He is also a Junior Research Scientist at NYU Steinhardt and a PhD Candidate at UC Berkeley's School of Information.

2017 Sponsors: IEEE and IEEE Computer Society