nach oben

Empirical Software Engineering

Erschienen in:

01.11.2023

On the coordination of vulnerability fixes

An empirical study of practices from 13 CVE numbering authorities

verfasst von: Jiahuei Lin, Bram Adams, Ahmed E. Hassan

Erschienen in: Empirical Software Engineering | Ausgabe 6/2023

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The Common Vulnerabilities and Exposures (CVE) program is dedicated to analyzing vulnerabilities, then to assigning a unique ID to them and disclosing the vulnerabilities to affected software vendors. A CVE Numbering Authority (CNA) is a key partner in the CVE program responsible for assigning an official ID to a CVE and registering a description of the vulnerability in order to communicate it to the other CNAs and the affected software vendors. To avoid the disclosure of vulnerabilities before the development of a fix, the CNAs and the affected vendors need to coordinate a proper schedule for the disclosure of vulnerabilities and the release of their fixes through multi-party coordination. This paper analyzes the practices used by CNAs to coordinate on vulnerability fix releases and disclosure by empirically studying the 13 CNAs that assigned the most CVEs from 2010 to 2020 and are also software vendors. Our results show that the studied CNAs discover and assign CVE IDs for the majority of vulnerabilities that affect their own products, which we refer to as self-assigned vulnerabilities. While the vulnerabilities that are assigned for other CNAs’ products, which we refer to as delegated vulnerabilities, tend to be more severe than the self-assigned vulnerabilities, (median Common Vulnerability Scoring System score of 7.5), we observe that their fixes are released at a slower pace. Moreover, when such a delegated vulnerability affects several CNAs’ products, the fixes are released a median of 4 days after the disclosure date, with a median delay between the first and last patch releases of those products of 35 days up to more than one year, which corresponds to a large window of exploitation.

Vorheriger Artikel An empirical comparison of ethnic and gender diversity of DevOps and non-DevOps contributions to open-source projects

Nächster Artikel Performance evolution of configurable software systems: an empirical study

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

https://www.technologyreview.com/2021/09/23/1036140/2021-record-zero-day-hacks-reasons/

https://www.businessinsider.com/hackers-microsoft-word-flaw-reuters-2017-4

https://cpe.mitre.org/specification/

https://cve.mitre.org/cve/researcher_reservation_guidelines

https://www.cisa.gov/coordinated-vulnerability-disclosure-process

https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

https://www.tenable.com/

https://cve.mitre.org/cve/list_rules_and_guidance/correcting_counting_issues.html

https://nvd.nist.gov/vuln/data-feeds

Note that we use https://www.tenable.com, since the open-source vulnerability database (OSVDB), which was widely used to study the patch available date for security vulnerabilities (Frei et al. 2006; Shahzad et al. 2012), was shutdown permanently in 2016, https://www.securityweek.com/osvdb-shut-down-permanently.

https://www.mitre.org/about/awards-and-recognition

https://www.redhat.com/ja/about/press-releases/press-bestlinuxsolutions

https://www.dell.com/en-us/blog/dell-software-security-solutions-of-awards-and-honors/

https://blog.bjornweb.nl/2017/02/flash-bypassing-local-sandbox-data-exfiltration-credentials-leak/

https://www.oracle.com/corporate/security-practices/assurance/vulnerability/

https://support.apple.com/en-us/HT201220

https://access.redhat.com/solutions/3711551

https://chromium.googlesource.com/chromium/src//master/docs/security/severity-guidelines.md

https://www.microsoft.com/en-us/msrc/faqs-security-update-guide

https://support.mozilla.org/en-US/kb/managing-firefox-updates

https://nvd.nist.gov/vuln/detail/CVE-2011-3071

https://chromereleases.googleblog.com/2012/04/stable-and-beta-channel-updates.html

https://support.apple.com/en-us/HT202561

https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time

https://www.enisa.europa.eu/news/coordinated-vulnerability-disclosure-towards-a-common-eu-approach

https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

https://www.securityweek.com/osvdb-shut-down-permanently

https://nvd.nist.gov/vuln/detail/CVE-2019-14626

https://cve.mitre.org/cve/list_rules_and_guidance/correcting_counting_issues.html

Alfadel M, Costa DE, Shihab E (2021) Empirical analysis of security vulnerabilities in python packages. In: 2021 IEEE International conference on software analysis, evolution and reengineering (SANER’21). IEEE, pp 446–457

Allodi L (2017) Economic factors of vulnerability trade and exploitation. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1483–1499

Arora A, Krishnan R, Telang R, Yang Y (2010) An empirical analysis of software vendors’ patch release behavior: impact of vulnerability disclosure. Inf Syst Res 21(1):115–132CrossRef

Arora A, Krishnan R, Nandkumar A, Telang R, Yang Y (2004) Impact of vulnerability disclosure and patch availability-an empirical analysis. In: Third workshop on the economics of information security, vol 24, pp 1268–1287

Bhargava G, Chandini, M (2018) Then and now: on the maturity of the cybercrime markets

Blocken B (2014) 50 years of computational wind engineering: past, present and future. J Wind Eng Ind Aerodyn 129:69–102CrossRef

Chen X, Zhao Y, Cui Z, Meng G, Liu Y, Wang Z (2019) Large-scale empirical studies on effort-aware security vulnerability prediction methods. IEEE Trans Reliab 69(1):70–87CrossRef

Chinthanet B, Kula RG, McIntosh S, Ishio T, Ihara A, Matsumoto K (2021) Lags in the release, adoption, and propagation of npm vulnerability fixes. Empirical Software Engineering (EMSE’21) 26(3):1–28

CNA (online). https://www.cve.org/ProgramOrganization/CNAs. Last Accessed 05 Feb 2022

CVE (online). https://cve.mitre.org/. Last Accessed 05 Feb 2022

CWE (online). https://cwe.mitre.org/. Last Accessed 05 Feb 2022

Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the npm package dependency network. In: Proceedings of the 15th international conference on mining software repositories (MSR’18), pp 181–191

Dolan-Gavitt B, Hulin P, Kirda E, Leek T, Mambretti A, Robertson W, Ulrich F, Whelan R (2016) Lava: large-scale automated vulnerability addition. In: 2016 IEEE Symposium on security and privacy (SP’16). IEEE, pp 110–121

Farhang S, Kirdan MB, Laszka A, Grossklags J (2019) Hey google, what exactly do your security patches tell us? a large-scale empirical study on android patched vulnerabilities. arXiv preprint arXiv:1905.09352

Feutrill A, Roughan M, Ross J, Yarom Y (2020) A queueing solution to reduce delay in processing of disclosed vulnerabilities. In: 2020 Second IEEE international conference on trust, privacy and security in intelligent systems and applications. IEEE, pp 1–11

Frei S, May M, Fiedler U, Plattner B (2006) Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on large-scale attack defense, pp 131–138

Goyal P, Parmar V, Rishi R et al (2011) Manet: vulnerabilities, challenges, attacks, application. IJCEM International Journal of Computational Engineering & Management 11(2011):32–37

Grieco G, Grinblat GL, Uzal L, Rawat S, Feist J, Mounier L (2016) Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the sixth ACM conference on data and application security and privacy, pp 85–96

Guidelines and practices for multi-party vulnerability coordination and disclosure (online). https://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1.0. Last Accessed 05 Feb 2022

Gupta S, Gupta BB (2017) Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. International Journal of Cloud Applications and Computing (IJCAC17) 7(3):1–43CrossRef

Huang Z, DAngelo M, Miyani D, Lie D (2016) Talos: neutralizing vulnerabilities with security workarounds for rapid response. In: 2016 IEEE Symposium on security and privacy (SP’16). IEEE, pp 618–635

Joh H, Malaiya YK (2011) Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: Proceedings of the 2011 International conference on security and management (SAM’11), vol 1, pp 10–16

Jovanovic N, Kruegel C, Kirda E (2006) Pixy: a static analysis tool for detecting web application vulnerabilities. In: 2006 IEEE Symposium on security and privacy (SP’06). IEEE, pp 6–pp

Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empirical Software Engineering (EMSE’18) 23(1):384–417CrossRef

Lee J, Hong S, Oh H (2018) Memfix: static analysis-based repair of memory deallocation errors for c. In: Proceedings of the 2018 26th ACM Joint meeting on European software engineering conference and symposium on the foundations of software engineering, pp 95–106

Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security, pp 2201–2215

Liu B, Meng G, Zou W, Gong Q, Li F, Lin M, Sun D, Huo W, Zhang C (2020) A large-scale empirical study on vulnerability distribution within projects and the lessons learned. In: 2020 IEEE/ACM 42nd International conference on software engineering (ICSE’20). IEEE, pp 1547–1559

Li Z, Zou D, Xu S, Jin H, Zhu Y, Chen Z (2021) Sysevr: a framework for using deep learning to detect software vulnerabilities. IEEE Transactions on Dependable and Secure Computing

Machiry A, Redini N, Camellini E, Kruegel C, Vigna G (2020) Spider: enabling fast patch propagation in related software repositories. In: 2020 IEEE Symposium on security and privacy (SP’20). IEEE, pp 1562–1579

Nakajima A, Watanabe T, Shioji E, Akiyama M, Woo M (2019) A pilot study on consumer iot device vulnerability disclosure and patch release in japan and the united states. In: Proceedings of the 2019 ACM Asia conference on computer and communications security (AsiaCCS ’19), pp 485–492

Nappa A, Johnson R, Bilge L, Caballero J, Dumitras T (2015) The attack of the clones: a study of the impact of shared code on vulnerability patching. In: 2015 IEEE symposium on security and privacy (SP’15). IEEE, pp 692–708

U.S. national institute of standards and technology. CVSS information (online). https://nvd.nist.gov/vuln-metrics/cvss. Last Accessed 05 Feb 2022

National vulnerability database (online). https://nvd.nist.gov/. Last Accessed 05 Feb 2022

Ozment A, Schechter SE (2006) Milk or wine: does software security improve with age? In: USENIX security symposium, vol 6, pp 10–5555

Piantadosi V, Scalabrino S, Oliveto R (2019) Fixing of security vulnerabilities in open source projects: a case study of apache http server and apache tomcat. In: 2019 12th IEEE Conference on software testing, validation and verification (ICST’19). IEEE, pp 68–78

Rafique S, Humayun M, Hamid B, Abbas A, Akhtar M, Iqbal K (2015) Web application security vulnerabilities detection approaches: a systematic mapping study. In: 2015 IEEE/ACIS 16th International conference on software engineering, artificial intelligence, networking and parallel/distributed computing (SNPD’15). IEEE, pp 1–6

Ruohonen J (2018) An empirical analysis of vulnerabilities in python packages for web applications. In: 2018 9th International workshop on empirical software engineering in practice (IWESEP’18). IEEE, pp 25–30

Ruohonen J, Rauti S, Hyrynsalmi S, Leppänen V (2018) A case study on software vulnerability coordination. Inf Softw Technol 103:239–257CrossRef

Sabottke C, Suciu O, Dumitras T (2015) Vulnerability disclosure in the age of social media: exploiting twitter for predicting \(\{\)Real-World\(\}\) exploits. In: 24th USENIX security symposium (USENIX Security 15), pp 1041–1056

Shahzad M, Shafiq MZ, Liu AX (2012) A large scale exploratory analysis of software vulnerability life cycles. In: 2012 34th International conference on software engineering (ICSE’12). IEEE, pp 771–781

Shin Y, Meneely A, Williams L, Osborne JA (2010) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE transactions on software engineering (TSE’10) 37(6):772–787CrossRef

Sood AK, Bansal R, Enbody RJ (2012) Cybercrime: dissecting the state of underground enterprise. IEEE Internet Comput 17(1):60–68CrossRef

Stock B, Pellegrino G, Rossow C, Johns M, Backes M (2016) Hey, you have a problem: on the feasibility of \(\{\)Large-Scale\(\}\) web vulnerability notification. In: 25th USENIX security symposium, pp 1015–1032

Wang X, Sun K, Batcheller A, Jajodia S (2019) Detecting "0-day" vulnerability: an empirical study of secret security patch in OSS. In: 2019 49th Annual IEEE/IFIP international conference on dependable systems and networks (DSN’19). IEEE, pp 485–492

Wu D, Gao D, Cheng EK, Cao Y, Jiang J, Deng RH (2019) Towards understanding android system vulnerabilities: techniques and insights. In: Proceedings of the 2019 ACM Asia conference on computer and communications security (AsiaCCS ’19), pp 295–306

Zhang H, Wang S, Li H, Chen THP, Hassan AE (2021) A study of C/C++ code weaknesses on stack overflow. IEEE Transactions on Software Engineering (TSE’21)

Zhao M, Grossklags J, Liu P (2015) An empirical study of web vulnerability discovery ecosystems. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 1105–1117

Titel: On the coordination of vulnerability fixes
An empirical study of practices from 13 CVE numbering authorities
verfasst von: Jiahuei Lin
Bram Adams
Ahmed E. Hassan
Publikationsdatum: 01.11.2023
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 6/2023
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-023-10403-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 6/2023

The software heritage license dataset (2022 edition)

Do RESTful API design rules have an impact on the understandability of Web APIs?

Performance evolution of configurable software systems: an empirical study

GitHub Actions: The Impact on the Pull Request Process

Studying the characteristics of AIOps projects on GitHub

An empirical study on software understandability and its dependence on code characteristics

Premium Partner