More Web Proxy on the site http://driver.im/

research-article

Open access

Automated modelling of security incidents to represent logging requirements in software systems

Authors:

Fanny Rivera-Ortiz,

Liliana PasqualeAuthors Info & Claims

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Article No.: 35, Pages 1 - 8

https://doi.org/10.1145/3407023.3407081

Published: 25 August 2020 Publication History

Abstract

In 2017 the Open Web Application Security Project (OWASP) has identified insufficient logging and monitoring as one of the top ten security risks. Attackers can exploit insufficient logging in software systems to cause harm to an organisation while being undetected for long periods of time. Therefore, software systems used within an organisation should perform logging to collect data relevant to detect and/or diagnose potential security incidents. However, when implementing logging functionalities, software developers either do not log enough information or log too much information. In this paper, we provide an approach to help developers decide where to log and what to log for security purposes. Our approach allows a security engineer to replay potential security incidents on an instrumented version of the software system and generate automatically a model of such incidents. These are represented as a UML sequence diagram that contains the relevant method invocations occurring during and incident, without providing a representation of the entire software behaviour. Because our model refers to concrete system components, it provides immediate guidance to developers about what methods execution should be logged for security purposes.

References

[1]

M. Andreessen, "Why Software is Eating the World," p. 6, 2011. [Online]. Available: https://a16z.com/2011/08/20/why-software-is-eating-the-world/

[2]

D. Bayern, "Yesterday, Today, and Tomorrow 50 Years of Software Engineering," IEEE Softw., 2018.

[3]

C. Cimpanu, "FBI says cybercrime reports quadrupled during COVID-19 pandemic," p. 3, 2020. [Online]. Available: https://www.zdnet.com/article/fbi-says-cybercrime-reports-quadrupled-during-covid-19-pandemic/

[4]

OWASP, "The Ten Most Critical Web Application Security Risks," p. 25, 2017. [Online]. Available: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/

[5]

A. Taylor, "The 16 biggest data breaches of the 21st century," p. 11, 2018. [Online]. Available: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

[6]

Marriott International, "Marriott Announces Starwood Guest Reservation Database Security Incident," p. 2, 2018. [Online]. Available: https://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/

[7]

C. Cimpanu, "Marriott CEO shares post-mortem on last year's hack," p. 5, 2019. [Online]. Available: https://www.zdnet.com/article/marriott-ceo-shares-post-mortem-on-last-years-hack/

[8]

A. Chuvakin, K. Schmidt, and C. Phillips, Logging and Log Management. The Authorative Guide to Understanding the Concepts Surrounding Logging and Log Management., 2013th ed. Syngress, 2013.

[9]

J. King and L. Williams, "Log Your CRUD: Design Principles for Software Logging Mechanisms," in Proc. 2014 Symp. Bootcamp Sci. Secur. (HotSoS'14). Raleigh, North Carolina, USA: ACM, 2014, p. 10.

Digital Library

[10]

J. Zhu, P. He, Q. Fu, H. Zhang, M. R. Lyu, and D. Zhang, "Learning to log: Helping developers make informed logging decisions," in Proc. - Int. Conf. Softw. Eng. (ICSE'15)., vol. 1. Florence, Italy: IEEE/ACM, 2015, pp. 415--425.

[11]

R. Mckemmish, "When is digital evidence forensically sound?" IFIP Int. Fed. Inf. Process., vol. 285, p. 13, 2008.

[12]

D. Alrajeh, L. Pasquale, and B. Nuseibeh, "On Evidence Preservation Requirements for Forensic-Ready Systems," in Proc. ACM SIGSOFT Symp. Found. Softw. Eng. Paderborn, Germany: ACM, 2017, p. 10.

[13]

B. Endicott-Popovsky, N. Kuntze, and C. Rudolph, "Forensic readiness: Emerging discipline for creating reliable and secure digital evidence," J. Harbin Inst. Technol., vol. 22 no. 1 p. 9 2015.

[14]

L. Pasquale, D. Alrajeh, C. Peersman, T. Tun, B. Nuseibeh, and A. Rashid, "Towards Forensic-Ready Software Systems," in Proc. 40th Int. Conf. Softw. Eng. New Ideas Emerg. Results (NIER'18). Gothenburg, Sweden: ACM, 2018, p. 4.

[15]

R. Rowlingson, "A Ten Step Process for Forensic Readiness," Int. J. Digit. Evid., vol. 2, no. 3, p. 28, 2004.

[16]

F. Rivera-Ortiz and L. Pasquale, "Towards Automated logging for forensic-ready software systems," in Proc. 6th Int. Work. Evol. Secur. Priv. Requir. Eng. (ESPRE'19). Jeju Island, South Korea: IEEE, 2019, p. 7.

[17]

B. Carrier and E. Spafford, "An Event-Based Digital Forensic Investigation Framework," in Proc. Fourth Digit. Forensic Res. Conf. (DFRWS'04)., Baltimore, Maryland, USA, 2004, p. 13.

[18]

The Apache Software Foundation, "Log4j 2 API," p. 4, 2020. [Online]. Available: https://logging.apache.org/log4j/2.x/manual/api.html

[19]

D. Oliveira, M. Rosenthal, N. Morin, K. C. Yeh, J. Cappos, and Y. Zhuang, "Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots," in Proc. 30th Annu. Comput. Secur. Appl. Conf. New Orleans Lousiana, USA: ACM, 2014, p. 10.

[20]

H. Adkins, B. Beyer, P. Blankinship, P. Lewandowski, A. Oprea, and A. Stubblefield, Building Secure & Reliable Systems, march 2020 ed. O'Reilly Media, Inc, 2020.

[21]

H. Assal and S. Chiasson, ""Think secure from the beginning": A survey with Software Developers," in Proc. Conf. Hum. Factors Comput. Syst. (CHI 2019), ACM, Ed., Glasgow, Scotland, UK, 2019, p. 13.

Digital Library

[22]

G. Sindre and A. Opdahl, "Eliciting Security Requirements by Misuse Cases," Requir. Eng., vol. 10, no. 1, p. 12, 2005.

Digital Library

[23]

L.-C. Lin, B. Nuseibeh, D. Ince, M. Jackson, and J. Moffett, "Analysing Security Threats and Vulnerabilities Using Abuse Frames," in Procedings Third Int. Work. Autom. Verif. Infin. Syst. (ETAPS'04)., 2004, p. 18.

[24]

M. Almorsy and J. Grundy, "SecDSVL: A domain-specific visual language to support enterprise security modelling," in Proc. 23rd Aust. Softw. Eng. Conf. (ASWEC'14). Sydney, Australia: IEEE, 2014, p. 10.

Digital Library

[25]

B. J. Berger, K. Sohr, and R. Koschke, "Automatically Extracting Threats from Extended Data Flow Diagrams," Lect. Notes Comput. Sci., vol. 9639, p. 17, 2016.

[26]

P. Johnson, R. Lagerström, and M. Ekstedt, "A meta language for threat modeling and attack simulations," in Proc. 13th Int. Conf. Availability, Reliab. Secur. (ARES'18). Hamburg, Germany: ACM, 2018, p. 9.

Digital Library

[27]

W. Benghabrit, H. Grall, J. C. Royer, and M. Sellami, "Accountability for abstract component design," in Proc. to 40th Euromicro Conf. Ser. Softw. Eng. Adv. Appl. (SEAA'14). Verona, Italy: IEEE, 2014, p. 9.

[28]

G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J.-M. Loingtier, and J. Irwin, "Aspect-Oriented Programming," in Proc. 11th Eur. Conf. Object-Oriented Program. (ECOOP'97). Jyväskylä, Finland: Springer, 1997, p. 11.

[29]

J. King, R. Pandita, and L. Williams, "Enabling Forensics by Proposing Heuristics to Identify Mandatory Log Events," in Proc. 2015 Symp. Bootcamp Sci. Secur. (HotSoS'15). Urbana, Illinois, USA: ACM, 2015, p. 10.

[30]

A. Chuvakin and G. Peterson, "How to do Application Logging Right," IEEE Secur. Priv., vol. 8, no. 4, p. 4, 2010. [Online]. Available: https://www.computer.org/csdl/magazine/sp/2010/04/msp2010040082/13rRUwIF6jg

Digital Library

[31]

Oracle, "Processing SQL Statements with JDBC," p. 5, 2019. [Online]. Available: https://docs.oracle.com/javase/tutorial/jdbc/basics/processingsqlstatements.html

[32]

Stack Overflow, "Java GUI frameworks. What to choose? Swing, SWT, AWT, SwingX, JGoodies, JavaFX, Apache Pivot?" 2013. [Online]. Available: http://stackoverflow.com/questions/7358775/java-gui-frameworks-what-to-choose-swing-swt-awt-swingx-jgoodies-javafx

Cited By

Palma ABartoloni NAngelini M(2024)BenchIMP: A Benchmark for Quantitative Evaluation of the Incident Management Process AssessmentProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664504(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664504
Kanaparthi YAbdellatif TSeyam ASatrya G(2024)Identifying Security Threats in the System Using Automated Security Logs2024 Third International Conference on Sustainable Mobility Applications, Renewables and Technology (SMART)10.1109/SMART63170.2024.10815284(1-5)Online publication date: 22-Nov-2024
https://doi.org/10.1109/SMART63170.2024.10815284
Batoun MSayagh MAghili ROuni ALi H(2024)A literature review and existing challenges on software logging practicesEmpirical Software Engineering10.1007/s10664-024-10452-w29:4Online publication date: 18-Jun-2024
https://doi.org/10.1007/s10664-024-10452-w
Show More Cited By

Index Terms

Automated modelling of security incidents to represent logging requirements in software systems
1. Security and privacy
  1. Software and application security
    1. Software reverse engineering

Recommendations

Logging in the Age of Web Services

In today's age of Web applications connected via Web services, accountability has become both crucial and harder to achieve. The management of authentication, authorization, and accountability in these applications is therefore a very important and ...
Towards Understanding and Improving Security-Relevant Web Application Logging
ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security

Logging of security-relevant events is crucial in software development to gain visibility into the application's runtime, and to detect suspicious and malicious behavior. Various security guidelines (such as ISO 27002, CCM) mandate the software products ...
Computer operating system logging and security issues: a survey

Logging has become a fundamental feature within the modern computer operating systems because of the fact that logging may be used through a variety of applications and fashion, such as system tuning, auditing, and intrusion detection systems. Syslog ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

August 2020

1073 pages

ISBN:9781450388337

DOI:10.1145/3407023

Program Chairs:
Melanie Volkamer
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)
,
Christian Wressnegger
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)

Copyright © 2020 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Science Foundation Ireland

Conference

ARES 2020

ARES 2020: The 15th International Conference on Availability, Reliability and Security

August 25 - 28, 2020

Virtual Event, Ireland

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
716
Total Downloads

Downloads (Last 12 months)189
Downloads (Last 6 weeks)24

Reflects downloads up to 03 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Palma ABartoloni NAngelini M(2024)BenchIMP: A Benchmark for Quantitative Evaluation of the Incident Management Process AssessmentProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3664504(1-12)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3664504
Kanaparthi YAbdellatif TSeyam ASatrya G(2024)Identifying Security Threats in the System Using Automated Security Logs2024 Third International Conference on Sustainable Mobility Applications, Renewables and Technology (SMART)10.1109/SMART63170.2024.10815284(1-5)Online publication date: 22-Nov-2024
https://doi.org/10.1109/SMART63170.2024.10815284
Batoun MSayagh MAghili ROuni ALi H(2024)A literature review and existing challenges on software logging practicesEmpirical Software Engineering10.1007/s10664-024-10452-w29:4Online publication date: 18-Jun-2024
https://doi.org/10.1007/s10664-024-10452-w
Daubner LMaksović SMatulevičius RBuhnova BSedlác̆ek T(2024)Forensic-Ready Analysis Suite: A Tool Support for Forensic-Ready Software Systems DesignResearch Challenges in Information Science10.1007/978-3-031-59468-7_6(47-55)Online publication date: 4-May-2024
https://doi.org/10.1007/978-3-031-59468-7_6
Daubner LMacak MMatulevičius RBuhnova BMaksović SPitner T(2023)Addressing insider attacks via forensic-ready risk managementJournal of Information Security and Applications10.1016/j.jisa.2023.10343373:COnline publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103433
Daubner LMatulevičius RBuhnova BPitner T(2023)BPMN4FRSS: An BPMN Extension to Support Risk-Based Development of Forensic-Ready Software SystemsEvaluation of Novel Approaches to Software Engineering10.1007/978-3-031-36597-3_2(20-43)Online publication date: 8-Jul-2023
https://doi.org/10.1007/978-3-031-36597-3_2
Daubner LMatulevičius RBuhnova BAntol MRůžička MPitner T(2023)A Case Study on the Impact of Forensic-Ready Information Systems on the Security PostureAdvanced Information Systems Engineering10.1007/978-3-031-34560-9_31(522-538)Online publication date: 8-Jun-2023
https://doi.org/10.1007/978-3-031-34560-9_31
Daubner LMatulevičius RBuhnova B(2023)A Model of Qualitative Factors in Forensic-Ready Software SystemsResearch Challenges in Information Science: Information Science and the Connected World10.1007/978-3-031-33080-3_19(308-324)Online publication date: 23-May-2023
https://doi.org/10.1007/978-3-031-33080-3_19
Daubner LBuhnova BPitner T(2023)Forensic experts' view of forensic‐ready software systems: A qualitative studyJournal of Software: Evolution and Process10.1002/smr.2598Online publication date: 12-Jul-2023
https://doi.org/10.1002/smr.2598
Sahin MUnlu THebert CShepherd LCoull NLean C(2022)Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives2022 IEEE Security and Privacy Workshops (SPW)10.1109/SPW54247.2022.9833858(31-43)Online publication date: May-2022
https://doi.org/10.1109/SPW54247.2022.9833858
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents