A look at the time delays in CVSS vulnerability scoring

Ruohonen, Jukka

doi:10.1016/j.aci.2017.12.002

Cited by 59 publications

(40 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2 for the intersecting subset of vulnerabilities in Safety DB that have CVEs and the corresponding vulnerabilities in NVD that have CVSS entries. Presumably due to the small delays in NVD's CVSS vulnerability scoring [20], it can be remarked that eight recent CVE-referenced vulnerabilities in Safety DB did not yet have CVSS data in NVD at the time of writing. The subset of vulnerabilities with both CVE and CVSS information indicate only relatively modest severity.…”

Section: A Overviewmentioning

confidence: 99%

An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications

Ruohonen

2018

2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP)

Self Cite

View full text Add to dashboard Cite

This paper examines software vulnerabilities in common Python packages used particularly for web development. The empirical dataset is based on the PyPI package repository and the so-called Safety DB used to track vulnerabilities in selected packages within the repository. The methodological approach builds on a release-based time series analysis of the conditional probabilities for the releases of the packages to be vulnerable. According to the results, many of the Python vulnerabilities observed seem to be only modestly severe; input validation and cross-site scripting have been the most typical vulnerabilities. In terms of the time series analysis based on the release histories, only the recent past is observed to be relevant for statistical predictions; the classical Markov property holds.

show abstract

Section: A Overviewmentioning

confidence: 99%

An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications

Ruohonen

2018

2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…This conjecture applies both to the CVSS framework [5] and to quantitative security assessments in general [41]. However, analogous reasoning does not seem to hold in the context of NVD and the second version of the CVSS standard; the content of the standard does not notably affect the delays for CVSS assignments [88]. In addition to these empirical observations, it is difficult to speculate why some particular CVSS metric would either increase or decrease the coordination and related delays [93].…”

Section: Vulnerability Metricsmentioning

confidence: 99%

“…Therefore, y i focuses on the internal coordination done by MITRE affiliates, the NVD team, and other actors involved in the coordination. One way to think about this internal coordination is to consider the delay metric as an indirect quantity for measuring how fast work items in a backlog or an inventory are transferred to complete deliveries [62,88]. Due to data limitations, however, it is currently neither possible to observe the internal within-MITRE (or within-NVD) coordination directly nor to explicitly measure the work items in the CVE backlog.…”

Section: Coordination Delaysmentioning

confidence: 99%

“…Another point is that rather analogous problems are often encountered with count data regressions. For instance, the negative binomial distribution is often preferable over the Poisson distribu-tion [88]. Also the gamma distribution is known to characterize related difference-based vulnerability datasets [39].…”

Section: Estimationmentioning

confidence: 99%

“…where • 1 denotes the L 1 -norm and λ is a non-negative tuning parameter [3]. Although cross-validation and other techniques can be used for selecting the tuning parameter [88], the QR-LASSO regressions are estimated with λ ∈ [1, 2, . .…”

Section: Estimationmentioning

confidence: 99%

See 2 more Smart Citations

A case study on software vulnerability coordination

Ruohonen

Rauti

Hyrynsalmi

et al. 2018

Information and Software Technology

Self Cite

View full text Add to dashboard Cite

Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list. Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated. Method : Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling. Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics. Conclusion: Software vulnerability and CVE coordination exhibit all typical traits of software engineering coordination in general. The coordination perspective elaborated and the case studied open new avenues for further empirical inquiries as well as practical improvements for the contemporary CVE coordination.

show abstract