A Layer-Independent Taxonomy for Evaluating Application Security and its application to the Ethos OS

Security breaches and vulnerability in software are topics that are rapidly gaining importance and fame. Every year about 6000 vulnerabilities are officially classified in the NIST National Vulnerabilities Database. Usually these vulnerabilities are not actually perceived by the final users, who are light years from the technical understanding of what happens in software and services that they daily use. Providing a crisp definition of what is secure software, and how to establish whether or not some software is more secure than other is an extremely hard problem to solve. The goal of this work is not to provide a final answer to a problem that most likely doesn't have a crisp answer, and is intrinsically well suited for having many interpretations depending on the perspective from which is observed. This work focus on the development of a way to approach the problem, understanding the environment related to it and providing means of analyzing and comparing different systems and the applications that run on top of them, from the security perspective. These concerns have been addressed by the creation of a conceptual framework based on a taxonomization process of security flaws in software. The proposed methodology has been applied and tested in a real case involving the experimental security-oriented operating system Ethos.