A Case Study on Software Vulnerability Coordination

Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list. Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated. Method: Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling. Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics. Conclusion: [...

A Comprehensive Framework for Patching and Vulnerability Management in Enterprises

As patching and vulnerability management have become a larger part of an organization's routine, its need for proper integration and complexity toward systems has increased. Threat actors continuously seek to develop and perform attacks exploiting vulnerabilities within systems, meaning organizations face the challenge of timely implementing patches to protect their assets. The master's thesis aims at gathering extensive information regarding patching and vulnerability management by integrating a semi-systematic literature review (SSLR), a semi-structured qualitative interview process, and our sense-making. These research methods collect insights from the existing theory and professionals' opinions. The SSLR allowed for gathering relevant studies and sense-making, which were subsequently utilized in developing a conceptual model depicting the vital processes and procedures of patching and vulnerability management based on the theory. As such, the conceptual model was showcased within the semi-structured qualitative interviews, which allowed for unbounded discussions regarding the practices, implementations, and expert input toward the conceptual framework and its improvement areas. The interviews and selection of interviewees allowed for several viewpoints and a wide perspective. Subsequently, after synthesizing the findings from the interviews and additionally gathered theory, the comprehensive framework, which aims to refine and extend the conceptual framework, was developed. The comprehensive framework aims at depicting the enterprises' collective patching and vulnerability management process, along with the intersection of the existing theory. Correspondingly, the framework could be utilized by enterprises to either improve their processes or for enterprises to implement absent processes. The findings highlight a major diversity in the implementation and execution of patching and vulnerability management. Larger companies tend to have more mature processes and employ more automation within their collection of vulnerability information and deployment of patches. Conversely, smaller companies lack the resources allocated to perform needed tasks, which results in a less organized and effective process. The research findings subsidize the existing research gap related to a lack of frameworks depicting the interrelation between patching and vulnerability management and how enterprises currently perform these processes. Additionally, it provides a substantially valuable resource for practitioners, researchers, and enterprises wishing to improve their processes based on an exploratory study assessing the existing literature, experts' opinions, and the design of the conceptual and comprehensive framework. As the comprehensive framework aims to provide a generalized approach and implementation, it can be employed by different-sized businesses while tailored to their needs

Countering Cybersecurity Vulnerabilities in the Power System

Security vulnerabilities in software pose an important threat to power grid security, which can be exploited by attackers if not properly addressed. Every month, many vulnerabilities are discovered and all the vulnerabilities must be remediated in a timely manner to reduce the chance of being exploited by attackers. In current practice, security operators have to manually analyze each vulnerability present in their assets and determine the remediation actions in a short time period, which involves a tremendous amount of human resources for electric utilities. To solve this problem, we propose a machine learning-based automation framework to automate vulnerability analysis and determine the remediation actions for electric utilities. Then the determined remediation actions will be applied to the system to remediate vulnerabilities. However, not all vulnerabilities can be remediated quickly due to limited resources and the remediation action applying order will significantly affect the system\u27s risk level. Thus it is important to schedule which vulnerabilities should be remediated first. We will model this as a scheduling optimization problem to schedule the remediation action applying order to minimize the total risk by utilizing vulnerabilities\u27 impact and their probabilities of being exploited. Besides, an electric utility also needs to know whether vulnerabilities have already been exploited specifically in their own power system. If a vulnerability is exploited, it has to be addressed immediately. Thus, it is important to identify whether some vulnerabilities have been taken advantage of by attackers to launch attacks. Different vulnerabilities may require different identification methods. In this dissertation, we explore identifying exploited vulnerabilities by detecting and localizing false data injection attacks and give a case study in the Automatic Generation Control (AGC) system, which is a key control system to keep the power system\u27s balance. However, malicious measurements can be injected to exploited devices to mislead AGC to make false power generation adjustment which will harm power system operations. We propose Long Short Term Memory (LSTM) Neural Network-based methods and a Fourier Transform-based method to detect and localize such false data injection attacks. Detection and localization of such attacks could provide further information to better prioritize vulnerability remediation actions