Log In Sign Up

Software Protection as a Risk Analysis Process

by   Daniele Canavese, et al.

The last years have seen an increase of Man-at-the-End (MATE) attacks against software applications, both in number and severity. However, MATE software protections are dominated by fuzzy concepts and techniques, and security-through-obscurity is omnipresent in this field. In this paper, we present a rationale for adopting and standardizing the protection of software as a risk management process according to the NIST SP800-39 approach. We examine the relevant aspects of formalizing and automating the risk management activities, to instigate the necessary actions for adoption. We highlight the open issues that the research community has to address. We discuss the benefits that such an approach can bring to all stakeholders, from software developers to protections designers, and for the security of all the citizens. In addition, we present a Proof of Concept (PoC) of a decision support system that automates the risk analysis methodology towards the protection of software applications. Despite being in an embryonic stage, the PoC proved during validation with industry experts that several aspects of the risk management process can already be formalized and that it is an excellent starting point for building an industrial-grade decision support system.


page 1

page 2

page 3

page 4


Forensic-Ready Risk Management Concepts

Currently, numerous approaches exist supporting the implementation of fo...

Factors Hindering the Adoption of DevOps in the Saudi Software Industry

DevOps has gained high importance in the global software industry due to...

Risk Management Practices in Information Security: Exploring the Status Quo in the DACH Region

Information security management aims at ensuring proper protection of in...

A Meta-Method for Portfolio Management Using Machine Learning for Adaptive Strategy Selection

This work proposes a novel portfolio management technique, the Meta Port...