基于漏洞本体的软件安全环境度量

2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement Pub Date : 2009-07-08 DOI:10.1109/SSIRI.2009.60

Ju An Wang, Minzhe Guo, Hao Wang, Min Xia, Linfeng Zhou

{"title":"基于漏洞本体的软件安全环境度量","authors":"Ju An Wang, Minzhe Guo, Hao Wang, Min Xia, Linfeng Zhou","doi":"10.1109/SSIRI.2009.60","DOIUrl":null,"url":null,"abstract":"This paper proposes an ontology-based approach to analyzing and assessing the security posture for software products. It provides measurements of trust for a software product based on its security requirements and evidence of assurance, which are retrieved from an ontology built for vulnerability management. Our approach differentiates with the previous work in the following aspects: (1) It is a holistic approach emphasizing that the system assurance cannot be determined or explained by its component assurance alone. Instead, the software system as a whole in a given running environment determines its assurance level. (2) Our approach is based on widely accepted standards such as CVSS, CVE, CWE, CPE, and CAPEC. Our ontology integrated these standards seamlessly thus provides a solid foundation for security assessment. (3) Automated tools have been built to support our approach, delivering the environmental scores for software products.","PeriodicalId":196276,"journal":{"name":"2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement","volume":"134 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Environmental Metrics for Software Security Based on a Vulnerability Ontology\",\"authors\":\"Ju An Wang, Minzhe Guo, Hao Wang, Min Xia, Linfeng Zhou\",\"doi\":\"10.1109/SSIRI.2009.60\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This paper proposes an ontology-based approach to analyzing and assessing the security posture for software products. It provides measurements of trust for a software product based on its security requirements and evidence of assurance, which are retrieved from an ontology built for vulnerability management. Our approach differentiates with the previous work in the following aspects: (1) It is a holistic approach emphasizing that the system assurance cannot be determined or explained by its component assurance alone. Instead, the software system as a whole in a given running environment determines its assurance level. (2) Our approach is based on widely accepted standards such as CVSS, CVE, CWE, CPE, and CAPEC. Our ontology integrated these standards seamlessly thus provides a solid foundation for security assessment. (3) Automated tools have been built to support our approach, delivering the environmental scores for software products.\",\"PeriodicalId\":196276,\"journal\":{\"name\":\"2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement\",\"volume\":\"134 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-07-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SSIRI.2009.60\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SSIRI.2009.60","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

摘要

本文提出了一种基于本体的软件产品安全态势分析与评估方法。它基于软件产品的安全需求和保证证据，为软件产品提供信任度量，这些度量来自为漏洞管理而构建的本体。我们的方法与之前的工作在以下方面有所不同:(1)它是一种整体方法，强调系统保证不能仅由其组成保证来确定或解释。相反，软件系统作为一个整体在给定的运行环境中决定了它的保证级别。(2)我们的方法基于广泛接受的标准，如CVSS、CVE、CWE、CPE和CAPEC。我们的本体无缝地集成了这些标准，从而为安全评估提供了坚实的基础。(3)自动化工具已经被构建来支持我们的方法，为软件产品交付环境分数。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Environmental Metrics for Software Security Based on a Vulnerability Ontology

This paper proposes an ontology-based approach to analyzing and assessing the security posture for software products. It provides measurements of trust for a software product based on its security requirements and evidence of assurance, which are retrieved from an ontology built for vulnerability management. Our approach differentiates with the previous work in the following aspects: (1) It is a holistic approach emphasizing that the system assurance cannot be determined or explained by its component assurance alone. Instead, the software system as a whole in a given running environment determines its assurance level. (2) Our approach is based on widely accepted standards such as CVSS, CVE, CWE, CPE, and CAPEC. Our ontology integrated these standards seamlessly thus provides a solid foundation for security assessment. (3) Automated tools have been built to support our approach, delivering the environmental scores for software products.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement

自引率

0.00%

发文量