The Post-Release Lifecycle Security Costs of Open Source Products

Transcription

1 The Post-Release Lifecycle Security Costs of Open Source Products Dragoş PALAGHIłĂ Economic Informatics Department, ASE, Bucharest, Romania, Abstract: The open source security components available on the internet are analyzed. Post release quality is discussed for distributed open source applications. The optimization cost for distributed applications is defeined. Optimal replacement cost is discussed. The maintenance factors that affect open source Mozilla projects are presented. A set of 200 security defects obtained from the Mozilla project defect data base are subject to analisys. A cost measurement is defined for maintaining software products is presented. Keywords: cost, security, open source, post-release quality. 1. Introduction There are open source security systems that are subject to continued development by experienced programmers, providing a high quality source code. Open source security systems provide effective means of protecting data from vulnerabilities using encryption and monitoring behavior and networking events, having also the advantage that the components are free of charge. According to [1] companies started to adopt this type of security systems instead of commercial ones due to limited budget available, but the biggest disadvantage of open source products to commercial solutions is lack of technical advice and assistance to the implementation provided by developers of commercial security solutions. Among the most popular open source security solutions according to [1] and [2] are: Nessus is an analytical solution for vulnerabilities that according to [3] incorporates: o the analysis of network vulnerabilities; o the analysis of security applications coming from third parties; o the analysis of scanning network ports; o web application vulnerabilities analysis; o the testing anti-virus configuration problems or expiration of licenses; o SQL server configuration auditing; o list of software running on Unix or Windows; Nessus operates under Windows, Mac OSX and Unix and is available for download at OSSEC is an Open Source intrusion detection having as stated in [4] the following subsystems: o analysis of computer logs application; o checking the integrity of files; o Windows registry monitoring; o rootkit detection; o alert in real time. OSSEC is available for download at Nagios is an open source monitoring tool that allows according to [5]: 56

2 o monitoring of important components for business processes including operating systems, applications, network protocols; o calculate the metrics of the operating system and network infrastructure used; o viewing the behavior of the entire network of computers within the organization; o sending alerts to network administrators via or SMS; o planning to improve network equipment before the old ones become ineffective; o extensive reporting of all events that took place in the monitored computer network; o architecture by adding expansion modules developed in the company or the use of modules desolate by the open source community. Nagios is available for download at ClamAV is an open source antivirus accordint to [6] thet implements: o scanning from the command line; o scanning s; o support for almost all formats of messages; o support for archive formats type; o a virus disinfection system. ClamAV is available for download at OpenSSL is an open source project according to [7] that aims to develop a set of programs to implement SSL and TLS protocols and cryptography libraries ans the sourcode and binaries of OpenSSL are available for download at Open source security products are competitive and receive contributions from a very large number of software developers. Program structure is carefully checked and programming errors are minimized, therefore the share of their use in companies but also individual users is increasing. 2. Open source post release quality Maintainability is the change in IT applications by making corrections, improvements or adaptations that occur due to environmental changes, functionality changes and changes in requirements and specifications. Maintainability must be considered since the beginning of the design process of distributed systems to implement measures and procedures to facilitate swift resolution of any problems. Maintainability of distributed applications must provide ways to support management processes in local network and distributed network for this purpose should be pursued following: providing troubleshooting processes with the initial implementation of IT applications, this is achieved through the development of procedures to prevent a largest possible number of predefined scenarios of problems in the processes taking place in the ordinary course of implementation of product data; sets of configuration setting to be used according to strict criteria such as: o number of computers on the network; o number of requests per hour to determine the load to be borne by the distributed application; o structure of the computer network; 57

3 M e = o security policies of the organization; developing plans for regular maintenance to confirm proper functioning of the distributed computing application; existence of procedures and specifications for unforeseen problems, to minimize the duration of repair in this case it is necessary to: o define standards for the development of source code; o to establish standard procedures for commenting the source code; methodologies exist for specific troubleshooting as many classes of software defects; ensure a high degree of cohesion of classes; ensure minimal dependencies between application classes; implementation of methods that carry out automatic data collection application behavior to determine fault-prone modules; ensuring regular saving data and information processed by the application distributed to ensure rapid re running. M e, actual maintainability is given by: L + L + : L + L p m L + - number of lines added to the source of the product; L - - number of source lines removed from the product; L m - number of source lines partially modified in the product; L p - number of lines of existing source code at the start of the maintenance process; If the software developer uses a rigid development method, maintainability of the source code is given by: Lm M e = L p L m - number of source lines modified; L p - number of lines of existing source code at the start of the maintenance process; Maintainability is ensured by placing counters to verify proper operation in distributed systems. The resulting data should be analyzed periodically to determine whether there are defects or efficiency and reliability of system operation is below the expected distribution. Performance is the extent to which a distributed system uses resources available for carrying out the tasks required by users. Performance is analyzed for the functional and non-functional requirements. Thus to assess the performance level functional requirements are analyzed by the time and accuracy of results obtained by users from the application of algorithms to implement distributed systems to solve a set of predefined problems. It aims to achieve swift calculations necessary to obtain the results required by the user and their reliability. Performance of non-functional requirements is evaluated following the levels of quality characteristics of software processes analyzed during the effective operation of the distributed system. To quantify the values of quality characteristics are necessary to determine the optimal levels at which the system operation is to be recorded. These levels are considered an optimum reference configuration of application performance. To determine the extent to which performance is recorded as these levels are periodically from a comparative analysis for each feature that will result in some performance 58

4 indicators measuring percentage recorded in the period under review compared to baseline defined optimal performance. PERFF indicator is defined as the functional performance and PERFNF represents the non-functional performance of the distributed system. Tmin and - the minimum time required for completion and operation; Tmax and - the maximum time needed to make the transaction; C j - measured level of quality characteristic j; CO j - the optimal level of quality characteristic j; ncp - the number of features as recorded in the measurement of performance; The optimal functioning of the application is set as a basic configuration in the testing process. The use cases define all the application functionalities and determine individual measurements for each. Thus the formula for calculating the performance of the application for configuration k is determined using the formula: C kj - the measure of the quality characteristic pattern k associated j; CO kj - the optimal level of quality characteristic j associated to pattern k; kncp - number of features as recorded in the measurement of the performance associated to pattern k; To optimize performance measuring distributed systems is necessary to establish a set of common characteristics as MPCC = (CCP 1 CCP 2,..., CCP npcc ) and a number of distinct sets of quality characteristics associated with each configuration MMPDC = (MDPC 1, MDPC 2,..., MDPC ncp ) where MDPC k =(PDC 1, PDC 2,..., PDC npdck ); npdck is the number of distinct quality characteristics of pattern k. Figure 1 is an outline of quality characteristics to measure the performance of a distributed system containing a number of different configurations, each having associated a set of ncp quality characteristics. 59

5 Fig. 1. Performance quality environment Scalability is the property of a distributed system that indicates its ability to manage increasing amounts of processing in an efficient way and in the same time be easy to extend. Because virtualization of business processes is necessary to process data flows continuously growing, scalability of distributed systems is important to minimize the costs of using and maintaining operability services within the organization that implements the distributed system. A key property of scalability is the need for a specified number of additional resources and not the complex processes of software reengineering if processing load changes substantially. Implementing a system with a high degree of scalability is still an issue to be considered during the design of distributed systems. The system to achieve a high level of scalability effort minimizes the software reengineering and lowers the costs further for the redesign of the distributed system for scalability. The level of scalability is improved in the process of: design by taking measures to maintain performance and development of specifications to maintain the efficiency of processing algorithms on any terms of workload; optimization of the code by reingeneering hampers processing software modules for workload changes; optimization of the product by adding a third module that supports some of the processing due to changes in workload and changes to the configuration file to preserve the desired level of efficiency of the product in terms of change in working conditions; optimization of hardware resources by adding hardware modules or memory processing to increase the resources available in the distributed system so that processing efficiency is kept high. Figure 2 shows the impact of the processes of design, source code optimization, and optimization of the product and on the scalability of the software product. 60

6 Fig. 2. Impact of change processes on the scalability Scalability is measured using the indicator SCB: NRVDDR - Plays successful number of volume variable data; TRSD - total running in distributed systems; Scalability is an important aspect when considering post-release costs for open source software as it will warrant the further development of the product by minimizing costs and increasing the degree of flexibility in the application. 3. The optimization cost Optimizing the selection process thakes a considerable amount of work to improve. Considering the set of moments M 1, M 2,..., M k and the set of versions V 1, V 2,..., V k the optimal version is determined as: V ( M h ) = min{ V } 1 i k i V (M h ) - the best choice of M 1, M 2,..., M k. To achieve the best optimization of conditions is necessary to define the optimal criteria by which to pursue improvement of only certain features of computer security system associated to the application. As for computer security the following criteria is best defined as minimizing the execution time of the procedures that comprise the security system computer by optimizing algorithms for data processing by eliminating unnecessary source texts, analyzing their threads and directing the shortest path thus achieving the: 61

7 maximization of application efficiency by defining the thresholds of effectiveness in all operations carried out as identifying critical areas in the security system; maximization of the accuracy of the security system computer to identify as accurately as threats and attempted attack on protected goods; minimization of times to troubleshoot security system by reusing the source code. Optimization of the source code is ment to improve the quality of procedures and execution time. By optimizing the source code design one will minimize the number of defects thereby improving overall performance of the computer security system by increasing the quality characteristics of product data. Optimization by increasing the quality of the security system is based on: testing which is ment to observe system problems, and the resumption of development life cycle segments that were identified as being error prone thus implementing solutions to improve their quality; internal reporting of security system that is determined using simulations with test data which quality characteristics have a lower than expected; reporting to users discovered problemsby using rhythmical logging: o produced erroneous results due to input validation inputted in the application; o system failure due to incorrect use of limits; o database corruption due lack of protection against attacks that target the integrity of databases; o leakage of confidential information by monitoring the application illicit actions by third parties; o need to establish a more powerful authentication due to the ease by which one gains unauthorized access to the system and its resources; run regular reports to monitor progress in terms of current application use, so wishing to highlight the issues most frequently encountered due to information security; emergence of new technologies using which will result in a transfer of quality to the security system; development of new technologies in the information security field by implementing which the security system which is more efficient; certification which allows developers to find new techniques that work better than older ones thus leading to better source code elaboration and with fewer errors resulting in time savings due to troubleshooting the security system and saving money that was used for overtime losses in debugging instead of being allocated for the process of development or other income-generating activities; certified software development companies in quality systems for software development set up policies that are clearly defined criteria to optimize the quality processes in the software development cycle. Increasing quality of security leads to an improved system corresponding to increasing levels of specified quality characteristics. This version is clearly superior to the old in terms of optimized quality characteristics. Optimizing data access is important in any security system. To optimize data access the following are considered: reingeneering procedures read and write from the database to use newer, more efficient ways of working with it; 62

8 replacing equipment with more efficient hardware used to enable and improve data access speed; optimize storage space by using compact internal format: o dates; o unique codes; o system events; o external events; time performance optimization of database transactions by minimizing the number of requests by the management system of the database, this is done by sending all requests in a specified time in a single transaction, thereby reducing waiting time overall. Optimizing data access is an important role in the economy of time security system uses a subsystem based on the correlation of intrusion detection events, time to review all system events is significant; security system use internal reporting mechanisms necessary for verification and performance analysis; number of users is very high and the need for input validation in the application is significant, as recording user behavior is a complex process requiring a significant period of time to be achieved under optimum conditions. Boja considers several types of optimization [8]: uni-criterial is based on choosing a single criterion of the computer security platform and breadth of the security system which implements a set of solutions SS = (S 1, S 2,..., S k ) corresponding as stated in [8] to a set of program versions developed SV = (V 1, V 2,..., V k ) and moments in time set MS = (M 1, M 2,..., M k ) using the equation for choosing the optimal version of the set of versions at a given time; to choose the optimization criteria established security system needs are determined and given the nature of protected property and the environment in which they operate, the following criteria are considered: o maximize the level of data encryption; o validation algorithms to maximize efficiency; o minimizing response times; o maximize the quality of source texts; o minimize the number of defects; o minimize response time to events; o maximize performance of authentication systems; o minimize access time to data; o eliminating inefficient procedures; o complete security of goods; o eliminate security risks; bi-criterial consists of two criteria for optimal selection and development of version of the security system that implements solutions which are better selected, analyzed according to [8] the influence of optimizing the first factor on the second, to choose the optimum solution is necessary to analyze aggregated results of the development; according to [8] a function that calculates the aggregation composed of the two factors selected and set version that has the highest aggregate level is needed; multi-criterial is a set of security characteristics of the SC = (C 1, C 2,..., C k ) which are optimized and a set of versions of the system SV m = (V m1, V m2,..., V mm ) resulting from the implementation of the set of solutions 63

9 SS m = (S m1, S m2,..., S mm ); choosing the optimal outcome depends on the characteristics of improved aggregate choosing the optimal variant using the aggregation function. Optimizing costs according to [9] are practices, skills and behavior adopted by an organization to reduce costs, minimize costs while preserving quality of software systems developed and maintained steady growth potential of the organization. The aim is to optimize organizational costs, the level of team-level software developers and source code. Optimization of organizational costs to identify administrative and production areas of the organization which has the highest costs and to intervene by minimizing or eliminating costs: of supporting auxiliary operations with no profits; with staff that doesn t affect profit generating activities; the availability of materials and equipment not necessary for the proper conduct of business processes and software development; transport employees for the purpose identifying ways to decrease the number of business trips if possible address situations through video-conferences or through the internal computer network; with third parties making bids to obtain the best price for materials and equipment needed. Cost optimization in the development teams must follow a plan to reward developers of software based on recorded performance and also implement a value system matrix value in Table 1. Table 1. Matrix value Features Feature Level Weak Mediocre As expected More than expected Very good C 1 X C 2 X C 3 X C i-1 X C i X C and 1 X X C n-2 X C n-1 X X C n Where the characteristics and expectations are quantified based on experience, responsibilities and dedication of software developers. Based on these characteristics the plan is established and the developer motivation over time is determined. If the individual is ineffective i.e. has a negative slope of progress is necessary to remove him because the costs caused by his work outweigh the benefits to the organization. Cost optimization of source code quality mentenance requirements imposed by the security solution architects is determined as minimizing the time and funds related to debugging activities. Also, if they are to achieve a high quality source code it is less likely paying for damages and penalties to users for faulty developed computer security systems. 64

10 Optimization is a continuous process as by each version the need for improvements materializes in observing the behavior of the application of information security. Figure 3 shows the evolution of application versions V 1, V 2,..., V k along the moments M 1, M 2,..., M k. V 1 V 2 V i V k Version M 1 M 2 M i M k Moment This is in the following equation: V ( V 1) > V ( V ) i + i Fig. 3. Evolution of versions of the application i= 1.. n 1 V(V i +1 ) - the value of application and time M 1; V(V i ) - value application at time M i. Optimum timing for changing the security system for computer applications is determined by technological advances made in computer security that lead to fighting the last type of threat. In [10] a time frame T = (t 1, t 2,, t n ) is considered and with each time t there is only one technological improvement. As in [10] the cost of technology is represented by a function with parameters:, Q, S ) ( t t, k t, k - cost of implementing a new security model; t Q, - cost of maintenance of the old security system until the end of k> t; t k S, - liquidation value of the old security system at the end of k> t. t k It is considered that as time goes on maintenance cost increases and the liquidation value falls, as follows: Q and S > S t+ 1. t < Q t+1 t The cost of replacing security technologies at the time k is given by the following equation: TEC ( t, Qt, k, S t, k ) = t+ Qt, k S t, k The aim is to minimize the cost of such replacement and is calculated for all times k> t according to Table 2. Table 2. Choice of optimal replacement cost k 1 k 2... k i... k m TEC, Q, S ) TEC, Q, S ) TEC, Q, S ) TEC, Q, S ) ( t t, k t, k1 The aim is to find: ( t t, k t, k2 ( t t, k t, ki ( t t, k t, km 65

11 TEC optim = min { TEC ( t, Qt, k, St, k i= 1.. m i )} Graphical representation of the point of optimal replacement computer security system is represented in Figure 4. Value S t,k Q t,k V 0 D 0 Duration Fig. 4. Graphical representation of optimal replacement point. Optimizing cost is an important economic issue in any IT project, especially for computer security where cost optimization without affecting the quality of computer security system is necessary. 4. The maintenance cost Maintenance is the process of updating the distributed application to reflect changes in the economic, social, and legal procedures. As computer applications are used by very large numbers of people is necessary that environmental changes are reflected in a very short time in all of computer applications. For a distributed data maintenance application the development plan states that the architecture should be modular. Each module is updated as necessary so that the amount changes lead to reflect reality in the application. Modular application facilitates updating as team members while performing maintenance work on the application modules, making updates in a very limited time. The maintenance process of the distributed computing application is made only while it incurred costs are very low and does not warrant the reengineering of the application. Maintenance is a costly process for defect prone code. Security defects are even more costly considering the consequences. Figure 5 presents a scatter plot obtained from the Mozilla project bug database, there are about 200 security related defects that were considered for analysis. 66

12 Fig. 5. Effort scatter plot Another aspect about defects is their recorded severity. Severity will differ according to different factors like: affected functionality which is of high importance for severity as it marks the software functionalities made unusable, faulty or incompatible with established quality standards; number of replications refers to the number of defect or problem reports listed for this issue, these defects are all marked as duplicates except one which is to be solved; workarounds means methods or ways to get around the specified defect; these include avoiding the incorrect functionality, using a different input such that the defect won t replicate or any other way that does not trigger the faulty behavior; if indeed a workaround is found then the defect will be marked as lower severity due to this, a defect with no available workarounds is suitable for a higher severity; impact is related to the effect of the defect on the software product as some defects are specific only to a restricted functionality or code are where as some are have an effect on more modules thus affecting more software functions; the impact of the defect is higher as the source code error that introduced the defect is in a more critical and used area of the source code; severity lowering cost means what will the organization loose in credibility, compensations and effort if the defect is given a lover severity by the QA manager; reasons for doing this include a high number of more urgent defects, no developers available to solve the issue in question or no interest for the organization to resolve the issue due to lack of usage of the affected functionality in the upcoming version and assume the risk of leaving it open. The severity distribution of the 200 defects selected from the Mozilla project data base is presented in figure 6. 67

13 Fig. 6. Severity distribution It is important to get an idea about the needed effort for resolving existing defects. The time until a resolution is given varies according to: defect priority relates to the fact that some defects with high priority will be pushed up the defect queue in order to get fixed faster than others due to their severity or need in upcoming service packs, patches or releases; available developers is also a resolution time constraint as it is difficult to reassign developers from ongoing projects to defect fixing as this will cause delays in their work and will cause penalties in other areas of the software development effort; QA and testing support are defined by the input received by the developer from the quality manager or from the testing department on resolving the issue; QA support relates to quality guidelines, regression testing, replication instructions or code reviews on the developed code; this is usual for defects located in sensible areas of the code; this kind of fix will require intensive testing of all affected functionalities in order to ensure that the introduced fix did not affect the correctness of other modules that are using the code area that was modified; testing time is also a delay in the resolution duration and it is caused by testing team being overwhelmed by other duties and the testing request from the developer is postponed until testers are available; another aspect is testing difficulty which may vary from defect to defect, but as the defect is in a more critical source code area the testing strategy will be more complex; defect difficulty is related to how long will the software developer take to identify the code error and provide an appropriate fix for it as the difficulty is higher the more time it will be needed to resolve the fault defect difficulty is influenced by defect type, defect location and developer familiarity with the source code which he is debugging when tracing the defect; defect count is a time factor also because while the developer is assigned to a certain defect the other defects in the queue even if assigned to him will be pending until the developer find time to work on them; developer experience is important when considering time taken to resolve an issue because a more experienced developer will spot faults faster and come up with quality fixes in a shorter time than an inexperienced one; 68

14 organization quality policy is related to the classification of defects i.e. some defects are more important at the time and need a fix much faster while other are placed in the defect queue and are pending until further notice or until they become important for the new quality policies; organization long term quality targets refer to how does the organization plan to improve source code quality, some organizations have a zero critical defect rule on release which means that on the release day there will be no critical defects left unresolved this in turn will turn the focus of the development team from all other bugs to the critical ones thus leaving them pending. Figure 7 presents the average effort recorded for the 200 defects located in the Mozilla project. Fig. 7. Average fixing effort In order to determine the effort needed for fixing a defect the following must be considered: defect fixing time; fix testing time; service pack or patch development time; fix integration in client environment time. The cost computation is done using: DFT defect fixing time; FTT fix testing time; SPDT service pack or patch development time; FINT fix integration time; 5. Conclusions Post release quality is affected by defects found at the client site. After the software is released its quality is related to usage, as more as a software component is used the 69

15 probability of finding more defects is higher than in a software component that has a lower usage level. Optimization costs come into play when considering the request to add new functionalities after a software product is in use by clients and it is important to decide whether the cost of implementing the new functionality are higher than replacing the software completely, this analysis should always be done when making large optimization requests. A thorough optimization cost analysis provides an idea about the software value before the improvement and the costs related to its replacement. Maintenance costs are related to effort required to fix defects. Defects are latent meaning they were missed when doing the pre-release testing or were introduced by developers when adding new functionalities or fixing other defects. The maintenance costs are also connected to the QA processes in place at the software house which is developing the software, as more as QA processes are in line with standards and stressed upon the better quality the software product will be which means fewer errors in the source code, fewer activated faults thus a lower number of software failures compared to other similar products that lack good quality QA processes and planning. Overall security issues are costly if not addressed in time and both optimization and maintenance cost apply to software security components. The defect data base provided freely by the Mozilla project gives information on defect status and resolution, defect notes and effort being of use when assessing the quality of the Mozilla software applications. Acknowledgements This article is a result of the project Doctoral Program and PhD Students in the education research and innovation triangle. This project is co funded by European Social Fund through The Sectorial Operational Programme for Human Resources Development , coordinated by The Bucharest Academy of Economic Studies. References [1] accessed [2] accessed [3] accessed [4] accessed [5] accessed [6] accessed [7] accessed [8] C. Boja, Optimizarea aplicatiilor informatice, PhD thesis, ASE, Bucharest, April 11th [9] accessed

16 [10] accessed Author Dragos PALAGHITA graduated from the Academy of Economic Studies of Bucharest, Cybernetics Statistics and Economic Informatics faculty, Economic Informatics section in He is programming in C++ and C# and his main areas of interest are Informatics Security, Software Quality Management, large data set analysis and graphical representation enhancements. Currently he is undergoing PhD studies at the Academy of Economic Studies of Bucharest, Cybernetics Statistics and Economic Informatics. He published several articles in JAQM, Informatica Journal, Economie Teoretica si Aplicata journal, Revista Romana de Automatica si Informatica. 71