Abstract
Component reuse has become a trend in software engineering. However, third-party components have the potential to introduce vulnerabilities into software applications and become the weakest link in the security chain. In this paper, we discuss the limitations of traditional security practices and controls against vulnerable components. As a solution, we present a software design and development approach, combined with a collaborative, cloud-based vulnerability and threat management system. This combination aims at enabling applications to gain “artificial immunity” to third-party components by dynamically identifying and controlling related security risks. It also strives to promote the automatic discovery of, and near real-time information dissemination about emerging threats and zero-day vulnerabilities. At the heart of our solution, we use application-level API sandboxing, as well as adaptive signature-based and anomaly-based API intrusion detection and prevention. The need-to-know, cost-effectiveness, and user acceptance through separation of concerns have been our guiding security engineering principles.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Information Security Breaches Survey (2015). pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-03.pdf
Forbes & IBM. The Reputational Impact of IT Risk (2014). www-935.ibm.com/services/multimedia/RLL12363USEN_2014_Forbes_Insights.pdf
Kaspersky Security Bulletin 2015, Overall statistics for 2015. securelist.com/files/2015/12/KSB_2015_Statistics_FINAL_EN.pdf
OWASP 2013 Top 10 Application Security Report. owasptop10.googlecode.com/files/OWASP_Top_10-2013.pdf
The Heartbleed Bug. heartbleed.com
Microsoft Security Development Lifecycle. microsoft.com/en-us/sdl/
OWASP Software Assurance Maturity Model. owasp.org/index.php/Category:Software_Assurance_Maturity_Model
Swanson, M., Guttman, B.: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996)
Stoneburner, G., Hayden, C., Feringa, A.: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) (2001)
Chang, J., Venkatasubramanian, K.K., West, A.G., Lee, I.: Analyzing and defending against web-based malware. ACM Comput. Surv. 45, 49:1–49:35 (2013)
Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 23–43. Springer, Berlin Heidelberg (2008)
Foreman, P.: Vulnerability Management. CRC Press, Boca Raton (2009)
Kilpatrick, D.: Privman: a library for partitioning applications. In: USENIX Annual Technical Conference, FREENIX Track, pp. 273–284 (2003)
Sun, M., Tan, G.: NativeGuard: protecting android applications from third-party native libraries. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, pp. 165–176. ACM, New York (2014)
Zhou, Y., Patel, K., Wu, L., Wang, Z., Jiang, X.: Hybrid user-level sandboxing of third-party android apps. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 19–30. ACM, New York (2015)
Hong, Y.-Y., Wang, Y.-P., Yin, J.: NativeProtector: protecting android applications by isolating and intercepting third-party native libraries. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 337–351. Springer, Cham (2016). doi:10.1007/978-3-319-33630-5_23
Backes, M., Bugiel, S., Hammer, C., Schranz, O., von Styp-Rekowsky, P.: Boxify: full-fledged app sandboxing for stock android. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 691–706. USENIX Association, Washington, D.C. (2015)
Wang, F., Zhang, Y., Wang, K., Liu, P., Wang, W.: Stay in your cage! A sound sandbox for third-party libraries on android. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 458–476. Springer, Cham (2016). doi:10.1007/978-3-319-45744-4_23
IBM X-Force Research. www-03.ibm.com/security/xforce/
Weka 3: Data Mining Software in Java. cs.waikato.ac.nz/ml/weka/
Apache JMeter. jmeter.apache.org
Zed Attack Proxy. owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Iraqi, O., El Bakkali, H. (2017). Toward Third-Party Immune Applications. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds) Computer Network Security. MMM-ACNS 2017. Lecture Notes in Computer Science(), vol 10446. Springer, Cham. https://doi.org/10.1007/978-3-319-65127-9_28
Download citation
DOI: https://doi.org/10.1007/978-3-319-65127-9_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65126-2
Online ISBN: 978-3-319-65127-9
eBook Packages: Computer ScienceComputer Science (R0)