[go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Security Risk Indicator for Open Source Software to Measure Software Development Status

  • Conference paper
  • First Online:
Information Security Applications (WISA 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14402))

Included in the following conference series:

  • 360 Accesses

Abstract

Recently, open source software (OSS) has become more mainstream. Therefore, the security of OSS is an important topic in information systems that use OSS. When vulnerabilities are discovered in OSS, it is difficult to fix or address for each information system developer or administrator. Existing security studies propose classifying vulnerabilities, estimating vulnerability risks, and analyzing exploitable vulnerabilities. However, it is still difficult to understand the threat of exploited vulnerabilities, and the development status of OSS used in information system operations. Determining whether vulnerabilities and the OSS development status are security risks is challenging. In this study, we propose a security risk indicator for OSS to address these problems. The proposed method calculates security risk indicators by combining vulnerability information with the development status of OSS. The proposed security risk indicator of OSS is a criterion for security measures during the operation of information systems. In the evaluation, we verified whether the proposed security risk indicator can be used to identify the threats of multiple OSS and the calculation cost of the security risk indicators.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Ladisa, P., Plate, H., Martines, M., Barais, O.: SoK: taxonomy of attacks on open-source software supply chains. In: Proceedings of 2023 IEEE Symposium on Security and Privacy, pp. 1509–1526. IEEE (2023). https://doi.ieeecomputersociety.org/10.1109/SP46215.2023.00010

  2. Allodi, L.: Economic factors of vulnerability trade and exploitation. In: Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security, pp. 1483–1499. ACM (2017). https://doi.org/10.1145/3133956.3133960

  3. Allodi, L., Massacci, F.: Security events and vulnerability data for cybersecurity risk estimation. Risk Anal. 37(8), 1606–1627 (2017). https://doi.org/10.1111/risa.12864

    Article  Google Scholar 

  4. Nikonov, A., Vulfin, A., Vasilyev, V., Kirillova, A., Mikhailov, V.: System for estimation CVSS severity metrics of vulnerability based on text mining technology. In: Proceedings of the 2021 Information Technology and Nanotechnology, pp. 1–5. IEEE (2021) https://doi.org/10.1109/ITNT52450.2021.9649232

  5. Householder, D, A., Chrabaszcz, J., Warren, D., Spring, M, J.: Historical analysis of exploit availability timelines. In: Proceedings of the 13th USENIX Workshop on Cyber Security Experimentation and Test, USENIX (2020)

    Google Scholar 

  6. Jacobs, J., Romanosky, S., Adjerid, I., Baker, W.: Improving vulnerability remediation through better exploit prediction. J. Cybersecurity 6(1) (2020). https://doi.org/10.1093/cybsec/tyaa015

  7. Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., Roytman, M.: Exploit prediction scoring system. Digital Threats Res. Pract. 2(3), 1–17 (2021). https://doi.org/10.1145/3436242

    Article  Google Scholar 

  8. NIST, National Vulnerability Database. https://nvd.nist.gov/. Accessed 18 Aug 2022

  9. FIRST, Common Vulnerability Scoring System SIG. https://www.first.org/cvss/. Accessed 18 Aug 2022

  10. OpenSSF, Open Source Project Criticality Score (Beta). https://github.com/ossf/criticality_score. Accessed 18 Aug 2022

  11. MITRE, Common Vulnerabilities and Exposures. https://www.cve.org/. Accessed 18 Aug 2022

  12. NIST, Official Common Platform Enumeration Dictionary. https://nvd.nist.gov/products/cpe. Accessed 18 Aug 2022

  13. CISA, Known Exploited Vulnerabilities Catalog. https://www.cisa.gov/known-exploited-vulnerabilities-catalog. Accessed 8 Apr 2023

  14. Debian Project, Debian GNU/Linux (online). https://www.debian.org/. Accessed 18 Aug 2022

  15. Williams, M.A., Dey, S., Barranco, C., Naim, M.S., Hossain, S.M., Akbar, M.: Analyzing evolving trends of vulnerabilities in national vulnerability database. In Proceedings of 2018 IEEE International Conference on Big Data, pp. 3011–3020. IEEE (2018). https://doi.org/10.1109/BigData.2018.8622299

  16. Martin, H., Jana, K., Elias, B., Pavel, C.: Survey of attack projection, prediction, and forecasting in cyber security. IEEE Commun. Surv. Tutor. 21(1), 640–660. IEEE (2018). https://doi.org/10.1109/COMST.2018.2871866

  17. Chen, H., Liu, J., Liu, R., Park, N., Subrahmanian, S.V.: VEST: a system for vulnerability exploit scoring & timing. In: Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, pp. 6503–6505 (2019). https://doi.org/10.24963/ijcai.2019/937

  18. Minh, L.H.T., et al.: DeepCVA: automated commit-level vulnerability assessment with deep multi-task learning. In: Proceedings of 36th IEEE/ACM International Conference on Automated Software Engineering, pp. 717–729. IEEE (2021). https://doi.org/10.1109/ASE51524.2021.9678622

  19. Siewruk, G., Mazurczyk, W.: Context-aware software vulnerability classification using machine learning. IEEE Access 9, 88852–88867 (2021). https://doi.org/10.1109/ACCESS.2021.3075385

    Article  Google Scholar 

  20. Walkowski, M., Krakowiak M., Jaroszewski, M., Oko, J., Sujecki, S.: Automatic CVSS-based vulnerability prioritization and response with context information. In Proceedings of International Conference on Software, Telecommunications and Computer Networks, pp. 1–6 (2021). https://doi.org/10.23919/SoftCOM52868.2021.9559094.559094

  21. Mitra, S., Ransbotham, S.: The effects of vulnerability disclosure policy on the diffusion of security attacks. Inf. Syst. Res. 26(3), 565–584 (2015). https://doi.org/10.1287/isre.2015.0587

    Article  Google Scholar 

  22. Boechat, F., et al.: Is vulnerability report confidence redundant? pitfalls using temporal risk scores. IEEE Secur. Priv. 19(4), 44–53 (2021). https://doi.org/10.1109/MSEC.2021.3070978

    Article  Google Scholar 

  23. Walkowski, M., Oko, J., Sujecki, S.: Vulnerability management models using a common vulnerability scoring system. Appl. Sci. 11, 8735 (2021). https://doi.org/10.3390/app11188735

    Article  Google Scholar 

Download references

Acknowledgment

This work was partially supported by the Japan Society for the Promotion of Science (JSPS) KAKENHI Grant Number JP19H04109, JP22H03592, JP23K16882, and ROIS NII Open Collaborative Research 2022 (22S0302)/2023 (23S0301).

Author information

Authors and Affiliations

  1. Graduate School of Engineering, Kobe University, Kobe, Japan

    Hiroki Kuzuno

  2. Intelligent Systems Laboratory, SECOM CO., LTD, Tokyo, Japan

    Tomohiko Yano

  3. SIOS Technology, Inc., Tokyo, Japan

    Kazuki Omo

  4. Faculty for Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands

    Jeroen van der Ham

  5. Faculty of Environmental, Life, Natural Science and Technology, Okayama University, Okayama, Japan

    Toshihiro Yamauchi

Authors
  1. Hiroki Kuzuno
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomohiko Yano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kazuki Omo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jeroen van der Ham
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Toshihiro Yamauchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hiroki Kuzuno .

Editor information

Editors and Affiliations

  1. Pusan National University, Busan, Korea (Republic of)

    Howon Kim

  2. Yeungnam University, Gyeongbuk, Korea (Republic of)

    Jonghee Youn

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kuzuno, H., Yano, T., Omo, K., van der Ham, J., Yamauchi, T. (2024). Security Risk Indicator for Open Source Software to Measure Software Development Status. In: Kim, H., Youn, J. (eds) Information Security Applications. WISA 2023. Lecture Notes in Computer Science, vol 14402. Springer, Singapore. https://doi.org/10.1007/978-981-99-8024-6_12

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8024-6_12

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8023-9

  • Online ISBN: 978-981-99-8024-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation