2022 Early Hearing Detection & Intervention Virtual Conference

March 13 - 15, 2022

<< BACK TO AGENDA

9/27/2017  |   4:00 PM - 4:45 PM   |  Assessing Software Supply Chain Risk Using Public Data   |  Track 1 - Cyber Security

Assessing Software Supply Chain Risk Using Public Data

The software supply chain is a source of cybersecurity risk for many commercial and government organizations. Public data may be used to inform automated tools for detecting software supply chain risk during continuous integration and deployment. We link data from the National Vulnerability Database (NVD) with open version control data for the open source project OpenSSL, a widely used secure networking library that made the news when a significant vulnerability, Heartbleed, was discovered in 2014. We apply the Alhazmi-Malaiya Logistic (AML) model for software vulnerability discovery to this case. This model predicts a sigmoid cumulative vulnerability discovery function. Some versions of OpenSSL do not conform to the predictions of the model because they contain a temporary plateau in the cumulative vulnerability discovery distribution. This temporary plateau feature is an empirical signature of a security failure mode that may be useful in future studies of software supply chain risk.

Presentation:
This presentation has not yet been uploaded.

Handouts:
Handout is not Available

Transcripts:
CART transcripts are NOT YET available, but will be posted shortly after the conference


Presenters/Authors

Sebastian Benthall (), Ion Channel, seb.benthall@ionchannel.io;
Sebastian Benthall is a data scientist at Ion Channel. He is also a Junior Research Scientist at NYU Steinhardt and a PhD Candidate at UC Berkeley's School of Information.


ASHA DISCLOSURE:

Financial -

Nonfinancial -