Timothy J. Shimeall

An empirical evaluation of six methods to detect faults in software

Although numerous empirical studies have been conducted to measure the fault detection capability of software analysis methods, few studies have been conducted using programs of similar size and characteristics. Therefore, it is difficult to derive meaningful conclusions on the relative detection ability and cost‐effectiveness of various fault detection methods. In order to compare fault detection capability objectively, experiments must be conducted using the same set of programs to evaluate all methods and must involve participants who possess comparable levels of technical expertise. One such experiment was ‘Conflict1’, which compared voting, a testing method, self‐checks, code reading by stepwise refinement and data‐flow analysis methods on eight versions of a battle simulation program. Since an inspection method was not included in the comparison, the authors conducted a follow‐up experiment ‘Conflict2’, in which five of the eight versions from Conflict1 were subjected to Fagan inspection. Conflict2 examined not only the number and types of faults detected by each method, but also the cost‐effectiveness of each method, by comparing the average amount of effort expended in detecting faults. The primary findings of the Conflict2 experiment are the following. First, voting detected the largest number of faults, followed by the testing method, Fagan inspection, self‐checks, code reading and data‐flow analysis. Second, the voting, testing and inspection methods were largely complementary to each other in the types of faults detected. Third, inspection was far more cost‐effective than the testing method studied. Copyright

Software security in an Internet world: an executive summary

Businesses of all sizes use the Internet for sales, purchasing, and collaborations. They all need reliable systems. Faced with substantial numbers of reported security problems, Internet users must decide how much risk they are willing to take to participate in what the Internet world offers. After presenting the scope and origin of the Nets security problems, the authors outline three immediate steps we can take to help ensure software security. The third, examination and repair of existing systems, rivals the magnitude of the Y2K worldwide effort.

Models of information security trend analysis

This paper discusses a framework for conduct of information security trend analyses. While several organizations are performing such analyses, there is wide disparity between the level of the analyses, the applicability of results, and the assumptions involved in properly interpreting the results. The framework offers a common ground in which these issues may be resolved. An example analysis process is presented in the paper. The paper includes a discussion of cautionary factors in the application of this framework.

Intelligence Analysis for Internet Security

The development of information and communication systems has become a critical component of globalization, shrinking both time and space, with far-reaching consequences that are still barely understood. Hi-tech connectivity has facilitated the emergence of dense global commercial and information networks that are unprecedented in their speed, accessibility and capability. Not surprisingly, the United States has been the leader in this process, exploiting new opportunities in a variety of ways. Information and communication technologies provide greater efficiencies at lower costs for US business, while the military services regard opportunities for information warfare as a major component of what for many years now has been described as the ‘revolution in military affairs’. Indeed, information and communications systems have been widely embraced as a means of maintaining United States primacy, both economically and militarily. Unfortunately, such opportunities rarely come without some risk. The information and communications revolutions are no exception. Accompanying the growth in the power and sophistication of information systems has been an enormous increase in dependence on these systems. Information and communication technologies have been embraced enthusiastically but with little attention to attendant, if inadvertent, vulnerabilities. Indeed, reliance on the new systems has grown much faster than our grasp of the vulnerabilities inherent in the networks, systems and core technologies that underlie the information and communications revolutions. Moreover, in spite of some well-publicized and extremely costly incidents, there remains a remarkable level of complacency. Results from the annual Computer Security Institute and FBI Annual Survey have revealed considerable reluctance to report problems. The 2002 survey, for example, revealed that only 34 per cent of those who suffered serious attacks reported the intrusions to law enforcement. While this was double the annual reporting percentage of the late 1990s, it was still a remarkably low figure. Such reticence is not confined to the United States and is often accompanied by an under-estimation of the problem,

Resistance Strategies: Authentication and Permissions

This chapter discusses various methods of authentication and authorization, the differences between those two terms, and common attacks on some of the methods, especially passwords. The chapter introduces the “what you know,” “what you have,” “what you are” triad for authentication factors and discusses examples of each factor. The example of password storage in Unix is developed as a technical example. The benefits of multifactor authentication are also discussed. Permissions are discussed both in practical detail and in theory—practically, in the context of Unix-like file permissions, and theoretically in the context of RBAC and RBAC’s contribution relative to older models MAC and DAC. Distributed authentication is discussed primarily in the context of Kerberos, and a brief technical introduction to Kerberos is presented. All the chapter’s discussions, especially Kerberos, cannot occur without a mention of cryptography, however, only the barest minimum of cryptography is introduced, to focus on concepts rather than technical procedures. Chapter 8 provides the appropriate cryptography discussion relative to resistance strategies. The chapter concludes by discussing two common classes of attacks on authentication systems: password cracking and social engineering, especially phishing.

Recognition Strategies: Intrusion Detection and Prevention

This chapter discusses intrusion detection and prevention technologies as a recognition strategy. The reason for intrusion detection systems (IDSs) is introduced; namely, that humans are too slow and network threats need to be addressed at network speed. Further, that the technology introduced in Chapter 5 as frustration strategies are not infallible, and an IDS is a method of auditing the success of frustration and resistance strategies. Given this motivation and that IDSs are important contributions to a layered defense, the chapter discusses several common pitfalls that can degrade IDS usefulness. These include problems of packet fragmentation, application reassembly, acting out of band, utilizing centrality effectively, and the base-rate fallacy. All IDSs have two basic modes of detection: signature based and anomaly based. The differences between these are introduced and the uses for each are discussed. Although the bulk of the chapter focuses on network IDSs, systems that use related but different data elements are also introduced: network behavior analyzers and wireless IDSs.

Network Analysis and Forensics

This chapter begins the first of four on recognition strategies. It focuses on the concepts of network analysis, specifically in the context of human-driven network analysis. This lays some foundation for the discussion of IDS in Chapter 12, since IDSs tend to automate many of the same processes that human analysts have developed. This chapter provides an introduction to the OSI model as a method of contextualizing network operations and to provide a mental model. Before exploring analysis methods, the chapter includes some guidance for nonanalysts as to what can be expected from analysis. The section discusses what questions are or are not easy or fruitful types of questions to ask network analysts. Various analysis methods are discussed, including network flow, metadata analysis, application-level analysis, signature analysis, and full-packet capture. The chapter also includes some pointers to web resources like blogs that a security analyst might find helpful in keeping up to date on breaking security news and threats. The chapter concludes with a discussion of network forensics and its similarity to analysis, as well as the importance of understanding the sensor architecture used to collect the data.

Resistance Strategies: Partitioning and Need to Know

Where encryption focuses on increasing the resistance to attacks via controlling the comprehensibility of information that is either a target ossf the attack or a means for the attack to progress, this chapter focuses on increasing resistance to attacks via controlling the visibility of such information on the computer network.

Professional Certifications and Overall Conclusions

This chapter summarizes the book and discusses some items that cut across all strategies. The primary example of this is discussing various professional certifications, and their benefits, uses, and detriments. It then revisits the strategies presented earlier, describing a conceptual means for constructing an overall, balanced approach for dealing with the threats to an organization. The chapter also provides sidebars on Sun Tzu and the difficulties of advanced persistent threats, and concludes with some suggestions for furthering one’s security education.

Resistance Strategies: Symmetric Encryption

This chapter provides an introduction to encryption as a resistance strategy. The focus is on symmetric encryption. Steganography and asymmetric encryption are covered in enough detail to demonstrate what symmetric cryptography is not, even though both could be subjects of books in their own right. Likewise, information theory is introduced at the appropriate level to support the discussion on cryptography. The chapter assumes no previous knowledge, and attempts to provide a basis for understanding by beginning with definitions for primitive cryptographic terms and discussing what encryption can and cannot do. To give the reader a feel for how cryptography works, historic examples are introduced and the workings of the ciphers are described in some detail. Although these ciphers are not of practical importance, they are simple enough that the reader can grasp their workings without the extensive math background needed for modern ciphers. The historic ciphers covered include several substitution and transposition ciphers, starting with the simple Caesar cipher. Modern encryption is discussed in the context of its primary uses: block ciphers, stream ciphers, disk encryption, and file encryption. Asymmetric encryption is introduced mostly for its utility in key management and distribution of symmetric keys. Host identification, more properly a topic for Chapter 7, is included in this chapter as a motivating example and technical example of these concepts; particularly to this end, the working of the transport layer security (TLS) stack is described.