Centralized vulnerability database for organization specific automated vulnerabilities discovery and supervision

Rahman, Munib ur; Deep, Vikas; Multhalli, Santosh

doi:10.1109/rains.2016.7764378

Cited by 5 publications

(3 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therein, CVSS is the most adopted information utilized by 15 selected papers where it quantifies the evaluation of vulnerability impact. For example, five studies, Frei et al (2006), Gallon (2011), Chang et al (2011), Jiang et al (2019), investigate the trends and distribution of vulnerabilities in databases in terms of CVSS; Seven studies, Roschke et al (2009), Wang and Guo (2009), Shahzad et al (2012), Kuo et al (2013), Kim et al (2013), ur Rahman et al (2016), and Jiang et al (2019, propose approaches to merge vulnerability databases also taken into account CVSS as one of their key information resources; CVSS is also used in two studies toward vulnerability-related predictions, i.e., Zhang et al (2015), Han et al (2017). In addition, OVAL, Jira issues, CAPEC, CRE, ERI, SCAP, Code gadgets, emails from the OSS project mailing list, and user contributed attacks and vulnerabilities are also used as information sources in 10 studies reported in Table 6.…”

Section: Rq 3 What Are the Other Sources Of Information Adopted To F...mentioning

confidence: 99%

The Anatomy of a Vulnerability Database: A Systematic Mapping Study

Moreschini

Zhang

et al. 2022

SSRN Journal

View full text Add to dashboard Cite

Section: Rq 3 What Are the Other Sources Of Information Adopted To F...mentioning

confidence: 99%

The Anatomy of a Vulnerability Database: A Systematic Mapping Study

Moreschini

Zhang

et al. 2022

SSRN Journal

View full text Add to dashboard Cite

“…Centralization. Kim et al [27] and Rahman et al [48] focus on different types of databases to propose a model for a centralized database that contains aggregated vulnerability information and can improve vulnerability management. (Sub-)Domain-specific Analysis.…”

Section: Related Workmentioning

confidence: 99%

“…So, this information is highly important for any security-related stakeholder that is involved in the software's life cycle. However, this information is scattered across these databases, describes often only a single stakeholder's perspective [48], and fluctuates in quality and granularity [43]. This makes it difficult to determine the threat level of a software system, which is also influenced by many other factors.…”

Section: Introductionmentioning

confidence: 99%

Model-Based Evaluation of Vulnerabilities in Software Systems

Kenner

2020

Proceedings of the 24th ACM International Systems and Software Product Line Conference - Volume B

View full text Add to dashboard Cite

Vulnerabilities in software systems result from faults, which occur at different stages in a software's life cycle, for example, in the design (i.e., undesired feature-interactions), the development (i.e., buffer overflows), or the operation (i.e., configuration errors). Various databases provide detailed information about vulnerabilities in software systems or the way to exploit it, but face severe limitations. The information is scattered across these databases, fluctuates in quality and granularity, and provides only an insight into a single vulnerability per entry. Even for a single software system it is challenging for any security-related stakeholder to determine the threat level, which consists of all vulnerabilities of the software system and its environment (i.e., operating system). Manual vulnerability management is feasible only to a limited extend if we want to identify all configurations that are affected by vulnerabilities, or determine a system's threat level and the resulting risk we have to deal with. For variant-rich systems, we also have to deal with variability, allowing different stakeholders to understand the threats to their particular setup. To deal with this variability, we propose vulnerability feature models, which offer a homogeneous view on all vulnerabilities of a software system. These models and the resulting analyses offer advantages in many disciplines of the vulnerability management process. In this paper, we report the research plan for our project, in which we focus on the model-based evaluation of vulnerabilities. This includes research objectives that take into account the design of vulnerability feature models, their application in the process of vulnerability management, and the impact of evolution, discovery, and verification of vulnerabilities. CCS CONCEPTS • Security and privacy → Vulnerability management; • Software and its engineering → Software product lines.

show abstract