Projection of Security Vulnerabilities caused by Exploits in Dependencies

MSCA (Marie Skłodowska-Curie)HORIZON-TMA-MSCA-PF-EFID: 101067199
EC Contribution
€1,728
Consortium Size
1 orgs
Start Year
2022
Summary

ProSVED stands for Projection of Security Vulnerabilities caused by Exploits in Dependencies, and targets the prognosis of software vulnerabilities via security exploits in third-party libraries. The code controlled by developers, e.g. to add security patches, is a small fraction of the whole codebase that supports any software project today. Most lines of code reside in external dependencies whose security vulnerabilities pose threats to the entire project. This can be mitigated via strategic update policies. However, measuring the risks to find optimal policies constitutes a tremendous prognosis problem, to find the needle of offending lines that hide in a haystack of third-party libraries. ProSVED proposes a novel rare-event approach to the challenge, to estimate the most promising update policies in order to reduce the security risks inherited from external code. Working with experts from the University of Trento, ProSVED will thus push the frontiers of software security analysis, taking it beyond its classical empirical approach, and into the horizon of formal risk modelling for prediction and mitigation.

Consortium (1)

Project Results (9)

Source: CORDIS, the EU research results database.

Publications (6)
Transient Evaluation of Non-Markovian Models by Stochastic State Classes and Simulation
QEST+FORMATS· 2024DOI
Gabriel Dengler; Laura Carnevali; Carlos E. Budde; Enrico Vicario
Consolidating cybersecurity in Europe: A case study on job profiles assessment
Computers & Security· 2023DOI
Carlos E. Budde; Anni Karinsalo; Silvia Vidor; Jarno Salonen; Fabio Massacci
CSEC+ framework assessment dataset: Expert evaluations of cybersecurity skills for job profiles in Europe
Data in Brief· 2023DOI
Carlos E. Budde; Anni Karinsalo; Silvia Vidor; Jarno Salonen; Fabio Massacci
Analysis of non-Markovian repairable fault trees through rare event simulation
International Journal on Software Tools for Technology Transfer· 2022DOI
Carlos E. Budde; Pedro R. D’Argenio; Raúl E. Monti; Mariëlle Stoelinga
Automated Fault Tree Learning from Continuous-valued Sensor Data: A Case Study on Domestic Heaters
International Journal of Prognostics and Health Management, volume 13· 2022DOI
Bart Verkuil; Carlos E. Budde; Doina Bucur
Efficient and Generic Algorithms for Quantitative Attack Tree Analysis
IEEE Transactions on Dependable and Secure Computing· 2022DOI
Milan Lopuhaä-Zwakenberg; Carlos E. Budde; Mariëlle Stoelinga
Deliverables (2)
Other Results (1)
Periodic Reporting for period 1 - ProSVED (Projection of Security Vulnerabilities caused by Exploits in Dependencies)