Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions

Anwar, Afsah; Khormali, Aminollah; Nyang, DaeHun; Mohaisen, Aziz

doi:10.1007/978-3-030-01701-9_21

Cited by 7 publications

(11 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(1) A Common Vulnerability Exposure (CVE) ID number [8] that uniquely identifies the vulnerability. (2) The vulnerability entry's publication date. (3) The vulnerability type/category, as classified by the Common Weakness Enumeration (CWE) [29].…”

Section: Datasetmentioning

confidence: 99%

“…Both commercial security services (e.g., Hakiri [12], Snyk [18], and SourceClear [17]), and open-source security tools (e.g., Bundleraudit [11], OWASP OSSIndex [16], and Dependency-check [13]) depend on the NVD's vulnerability information to function effectively. Furthermore, researchers [2,3,27] have used the NVD as a core data source to shed light on aspects of the vulnerability discovery and remediation process. Given the importance of the NVD, it is crucial that we understand the quality of its data, lest some incorrect information leads to a critical security lapse [5].…”

Section: Introductionmentioning

confidence: 99%

“…Overall, the study can be utilized by the NVD towards the following end goals: (1) The estimated disclosure date identification can enrich the vulnerability report for the end-user's perusal. (2) The vendor and product inconsistency finding tool can be leveraged during the vulnerability reporting process to suggest suitable vendor and product names to analysts. Moreover, the observations from our analyses and measurements can used as a best practice when adding new vendors and product names in NVD.…”

Section: Introductionmentioning

confidence: 99%

“…(1) Through an extensive data-driven approach backed by web scraping, manual investigation, and machine learningbased automation, we assess the quality of NVD, identifying concerns affecting each vulnerability data field. (2) We identify methods to automatically remedy the data quality issues in NVD, providing a more reliable source of vulnerability information. (3) As case studies, we conduct several large-scale analyses of vulnerabilities, providing the most accurate findings to several basic but core questions on vulnerability discovery, disclosure, and remediation.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses

Anwar¹,

Abusnaina²,

Chen³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

Vulnerability databases are vital sources of information on emergent software security concerns. Security professionals, from system administrators to developers to researchers, heavily depend on these databases to track vulnerabilities and analyze security trends. How reliable and accurate are these databases though?In this paper, we explore this question with the National Vulnerability Database (NVD), the U.S. government's repository of vulnerability information that arguably serves as the industry standard. Through a systematic investigation, we uncover inconsistent or incomplete data in the NVD that can impact its practical uses, affecting information such as the vulnerability publication dates, names of vendors and products affected, vulnerability severity scores, and vulnerability type categorizations. We explore the extent of these discrepancies and identify methods for automated corrections. Finally, we demonstrate the impact that these data issues can pose by comparing analyses using the original and our rectified versions of the NVD. Ultimately, our investigation of the NVD not only produces an improved source of vulnerability information, but also provides important insights and guidance for the security community on the curation and use of such data sources.

show abstract

Section: Datasetmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses

Anwar¹,

Abusnaina²,

Chen³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Anwar et al [17] analyzed the effect of vulnerabilities on vendors and demonstrated the impact depends on the products' industry sector. Gamero-Garrido et al [18] characterized the effect of legal threats on vulnerability researchers and observed that 40% of the studied vendors allow academic researchers to evaluate their products, and 25% of security researchers stated they do not do so because they fear legal measures.…”

Section: Related Workmentioning

confidence: 99%

Measuring the Cost of Software Vulnerabilities

Anwar¹,

Khormali²,

Choi³

et al. 2020

ICST Transactions on Security and Safety

Self Cite

View full text Add to dashboard Cite

Enterprises are increasingly considering security as an added cost, making it necessary for those enterprises to see a tangible incentive in adopting security measures. Despite data breach laws, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. We perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the nonlinear autoregressive neural network with exogenous factors (NARX) Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better prediction performance. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all.

show abstract

Enriching Vulnerability Reports Through Automated and Augmented Description Summarization

Althebeiti,

Mohaisen

2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Understanding the Hidden Cost of Software Vulnerabilities: Measurements and Predictions

Cited by 7 publications

References 22 publications

Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses

Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses

Measuring the Cost of Software Vulnerabilities

Enriching Vulnerability Reports Through Automated and Augmented Description Summarization

Contact Info

Product

Resources

About