Sami Hyrynsalmi

Modeling the delivery of security advisories and CVEs

This empirical paper models three structural factors that are hypothesized to affect the turnaround times between the publication of security advisories and Common Vulnerabilities and Exposures (CVEs). The three structural factors are: (i) software product age at the time of advisory release; (ii) severity of vulnerabilities coordinated; and (iii) amounts of CVEs referenced in advisories. Although all three factors are observed to provide only limited information for statistically predicting the turnaround times in a dataset comprised of Microsoft, openSUSE, and Ubuntu operating system products, the paper outlines new research directions for better understanding the current problems related to vulnerability coordination.

The role of applications and their vendors in evolution of software ecosystems

The most recent trends in the electronic commerce research have suggested that forming an ecosystem around a platform would create a winning solution. The ecosystem, consisting of vendors and external actors, would create competitive advantage for the platform owner. Furthermore, the sheer number of the actors has been used as the measure of the ecosystems well-being against competing ecosystems. Whereas a number of studies has been devoted to analyse the well-being indicators or structures of software ecosystems and the importance of complementors and complements are acknowledged, there is lack of studies addressing how the complementors affect into the evolution of ecosystems. This conceptual analysis aims to open discussion on this topic by using the mobile application ecosystems—such as Google Play or Apples iOS—as the case subject. While the results suggest some implications for the platform owners and complementors, more work is needed

Mining social networks of open source CVE coordination

Coordination is one central tenet of software engineering practices and processes. In terms of software vulnerabilities, coordination is particularly evident in the processes used for obtaining Common Vulnerabilities and Exposures (CVEs) identifiers for discovered and disclosed vulnerabilities. As the central CVE tracking infrastructure maintained by the non-profit MITRE Corporation has recently been criticized for time delays in CVE assignment, almost an ideal case is available for studying software and security engineering coordination practices with practical relevance. Given this pragmatic motivation, this paper examines open source CVE coordination that occurs on the public oss-security mailing list. By combining social network analysis with a data-driven, exploratory research approach, the paper asks six data mining questions with practical relevance. By contemplating about answers to the questions asked by means of descriptive statistics, the paper consequently contributes not only to the contemporary industry debates, but also to the tradition of empirical vulnerability research. The perspective and the case are both novel in this tradition, thus opening new avenues for further empirical inquiries and practical improvements for the contemporary CVE coordination.

Evaluating the use of internet search volumes for time series modeling of sales in the video game industry

Internet search volumes have been successfully adopted for time series analysis of different phenomena. This empirical paper evaluates the feasibility of search volumes in modeling of weekly video game sales. Building on the theoretical concepts of product life cycle, diffusion, and electronic word-of-mouth advertisement, the empirical analysis concentrates on the hypothesized Granger causality between sales and search volumes. By using a bivariate vector autoregression model with a dataset of nearly a hundred video games, only a few games exhibit such causality to either direction. When correlations are present, these rather occur instantaneously; the current weekly amount of sales tends to mirror the current weekly amount of searches. According to the results, search volumes contribute only a limited additional statistical power for forecasting, however. Besides this statistical limitation, the presented evaluation reveals a number of other limitations for use in practical marketing and advertisement foresight. Internet search volumes continue to provide a valuable empirical instrument, but the value should not be exaggerated for time series modeling of video game sales.

A Survey on Aims and Environments of Diversification and Obfuscation in Software Security

Diversification and obfuscation methods are promising approaches used to secure software and prevent malware from functioning. Diversification makes each software instance unique so that malware attacks cannot rely on the knowledge of the programs execution environment and/or internal structure anymore. We present a systematic literature review on the state of-the-art of diversification and obfuscation research aiming to improve software security between 1993 and 2014. As the result of systematic search, in the final phase, 209 related papers were included in this study. In this study we focus on two specific research questions: what are the aims of diversification and obfuscation techniques and what are the environments they are applied to. The former question includes the languages and the execution environments that can benefit from these two techniques, while the second question presents the goals of the techniques and also the type of attacks they mitigate.

Exploring the clustering of software vulnerability disclosure notifications across software vendors

This exploratory empirical paper investigates annual time delays between vulnerability disclosure notifications and acknowledgments by means of network analysis. These delays are approached through a potential clustering effect of vulnerabilities across software vendors. The analysis is based on a projection from bipartite vendor-vulnerability structures to one-mode vendor-vendor networks, while the hypothesized clustering effect is approached with a conventional community detection algorithm. According to the results, (a) vulnerabilities cluster across vendors, (b) which also explains a portion of the time delays, although (c) the clustering is not stable annually. The computed network (d) clusters can be also interpreted by reflecting these against common software security attack surfaces. The results can be used to contemplate (e) practical means with which the efficiency of vulnerability disclosure could be improved.

Do We Have What Is Needed to Change Everything

The fourth industrial revolution is expected to bring major changes both in society as well as in the modern industry. Naturally, it will also shake the labour market—however, not only by replacing blue collar duties by robots, but also by renewing the set of skills and competencies needed in new kinds of work duties. In this study, we use a data (n = 160) from a survey to the Finnish software businesses to evaluate how software companies perceive the labour shortage and its implications in the verge of the new industrial revolution. The results show that already now there are signs that the labour shortage might harm the growth and innovations in the ICT field. This study presents the results from the survey and discusses whether there are enough competent resources to support the industrial revolution.

A Post-Mortem Empirical Investigation of the Popularity and Distribution of Malware Files in the Contemporary Web-Facing Internet

This short empirical paper investigates a snapshot of about two million files from a continuously updated big data collection maintained by F-Secure for security intelligence purposes. By further augmenting the snapshot with open data covering about a half of a million files, the paper examines two questions: (a) what is the shape of a probability distribution characterizing the relative share of malware files to all files distributed from web-facing Internet domains, and (b) what is the distribution shaping the popularity of malware files? A bimodal distribution is proposed as an answer to the former question, while a graph theoretical definition for the popularity concept indicates a long-tailed, extreme value distribution. With these two questions – and the answers thereto, the paper contributes to the attempts to understand large-scale characteristics of malware at the grand population level – at the level of the whole Internet.

The War of Talents in Software Business

The modern business world is undergoing digitalisation in fast pace and, therefore, more jobs are born in the field of information and communication technology (ICT). Only in Finland, one of the leading countries in digitalisation, there is an estimated need for 7,000–15,000 software professionals while the demand for skilled labour is growing every year. The skill set required from professionals is also changing and different skills are needed in the future. ICT companies are facing problems of finding highly skilled professionals to ensure their rapid growth and new innovations. At the same time, when companies are fighting for the talents, there are ICT professionals unemployed. Offered and requested skills are not meeting in the ICT industry, which can lead to bigger problems in the eyes of workers and companies. This study focuses on the skill polarisation between software professionals at the war of talents by using data collected with a survey (n = 90) to software businesses. The results reveal some signs of ongoing skill polarisation in the field and its possible impacts are discussed.

Survey of prototyping solutions utilizing Raspberry Pi

Sensor networks are a highly researched application area in the field of Internet of Things (IoT). A key cost and resource question in the development of IoT network sensor solutions is prototype implementation. In this study, the Raspberry Pi—a widely used single board computer—is investigated as it is one of the most commonly used prototyping devices available and is also widely used in scientific research. In this paper, we address which technologies, the usefulness and what kinds of issues arise when the prototyping of a sensor network solution is done with Raspberry Pi. The extant literature is studied by selecting papers with the systematic literature review method. Based on an extensive survey of the selected studies, we found several sensor-based implementations where Raspberry Pi has been used. In addition, this survey revealed subjects, such as e-health and education, which expanded the research topic in new ways. Further research opportunities have been identified in specifying the usefulness of various technologies with single board computers.