Skip to main content
SpringerLink
Log in

Manager Asks: Which Vulnerability Must be Eliminated First?

  • Conference paper
  • First Online:
Innovative Security Solutions for Information Technology and Communications (SecITC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12596))

  • 604 Accesses

Abstract

Nowadays, the number of discovered vulnerabilities increases rapidly. In 2018, the 17, 308 vulnerabilities were discovered and during the 2019 even more, so up to 20, 362. The serious problem is that a substantial part of them is rated as critical or at least labeled as high according the CVSS (Common Vulnerability Scoring System). This fact causes a problem, the designers and/or developers do not know which vulnerability should be eliminated at the first place. Time for removal of the vulnerability is crucial from the practical point of cyber security. The main contribution of the article is a proposal of a new method that is used for prioritizing vulnerabilities. The aim of the proposed method is to eliminate the disadvantages of approaches commonly used today. Our method improves the prioritization of vulnerabilities utilizing the parameters: the possibility of exploitation, availability of information about them and knowledge obtained by Threat Intelligence. These three parameters are highly important, especially for newly discovered vulnerabilities, where a priority can differ from day to day. We evaluate the functionality of the proposed method utilizing the production environment of a medium-sized company and we copare results with CVSS method (30 servers, 200 end-stations).

Research described in this paper was financed by the Technology Agency of the Czech Republic (TACR), project no. TJ04000456.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The currently used version of the CVSS is 3.1. This and elder versions are described in detail in the methodology’s documentation on https://www.first.org/cvss/v3-1/.

  2. 2.

    For example there is an available exploit in Metasploit DB.

  3. 3.

    Together 200 vulnerabilities were not selected for the comparisons, there were recurrent or not relevant for comparison due to low severity, no prioritization is required.

References

  1. Common vulnerability scoring system v3.1: Specification document (2019). https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf

  2. Albeniz, Z.: Cvss: characterizing and scoring vulnerabilities (2019). https://www.netsparker.com/blog/web-security/cvss-characterizing-and-scoring-vulnerabilities/

  3. Bekerman, D., Yerushalmi, S.: The state of vulnerabilities in 2019 (2020). https://www.imperva.com/blog/the-state-of-vulnerabilities-in-2019/

  4. Bhatt, N., Anand, A., Yadavalli, V.S.S., Kumar, V.: Modeling and characterizing software vulnerabilities (2017)

    Google Scholar 

  5. Davis, P., et al.: Vulnerability intelligence report (2018). https://static.tenable.com/translations/en/Vulnerability_Intelligence_Report-ENG.pdf

  6. Feutrill, A., Ranathunga, D., Yarom, Y., Roughan, M.: The effect of common vulnerability scoring system metrics on vulnerability exploit delay. In: Sixth International Symposium on Computing and Networking (CANDAR), pp. 1–10 (2018). https://doi.org/10.1109/CANDAR.2018.00009, https://ieeexplore.ieee.org/document/8594738/

  7. Fruhwirth, C., Mannisto, T.: Improving cvss-based vulnerability prioritization and response with context information. In: 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 535–544 (2009). https://doi.org/10.1109/ESEM.2009.5314230, http://ieeexplore.ieee.org/document/5314230/

  8. Keramati, M.: New vulnerability scoring system for dynamic security evaluation. In: 8th International Symposium on Telecommunications (IST), pp. 746–751 (2016). https://doi.org/10.1109/ISTEL.2016.7881922, http://ieeexplore.ieee.org/document/7881922/

  9. Nist, S.: 800–53, revision 4. Security and Privacy Controls for Federal Information Systems and Organizations (2013)

    Google Scholar 

  10. Palanov, N.: Vulnerability categories and severity levels: “informational" vulnerabilities vs. true vulnerabilities (2016). https://blog.rapid7.com/2016/12/15/vulnerability-categories-and-severity-levels-informational-vulnerabilities-vs-true-vulnerabilities/

  11. Scarfone, K., Mell, P.: An analysis of cvss version 2 vulnerability scoring. In: 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516–525 (2009)

    Google Scholar 

  12. Sibal, Ritu., Sharma, Ruchi, Sabharwal, Sangeeta: Prioritizing software vulnerability types using multi-criteria decision-making techniques. Life Cycle Reliab. Saf. Eng. 6(1), 57–67 (2017). https://doi.org/10.1007/s41872-017-0006-8

    Article  Google Scholar 

  13. Spring, J., Hatleback, A., Manion, A., Shic, D.: Towards improving CVSS. Software Engineering Institute, Carnegie Mellon University, Tech. Rep (2018)

    Google Scholar 

  14. for Standardization, I.O.: ISO/IEC 27001: 2013: Information Technology-Security Techniques-Information Security Management Systems-Requirements. International Organization for Standardization (2013)

    Google Scholar 

  15. Tai, W.: What is vpr and how is it different from cvss? (2020). https://www.tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss

  16. Tripathi, A., Singh, U.K.: On prioritization of vulnerability categories based on cvss scores. In: 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), pp. 692–697. IEEE (2011)

    Google Scholar 

  17. Wang, R., Gao, L., Sun, Q., Sun, D.: An improved cvss-based vulnerability scoring mechanism. In: Third International Conference on Multimedia Information Networking and Security, pp. 352–355 (2011). https://doi.org/10.1109/MINES.2011.27, http://ieeexplore.ieee.org/document/6103789/

  18. Williams, J.: Owasp risk rating methodology (2020). https://owasp.org/www-community/OWASP_Risk_Rating_Methodology

Download references

Author information

Authors and Affiliations

  1. Department of Telecommunications, Brno University of Technology, Technicka 12, 616 00, Brno, Czech Republic

    Yehor Safonov, Zdenek Martinasek & Lukas Malina

  2. AEC, Veveri 102, 616 00, Brno, Czech Republic

    David Pecl, Matej Kacic & Lubomir Almer

Authors
  1. David Pecl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yehor Safonov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zdenek Martinasek
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Matej Kacic
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lubomir Almer
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Lukas Malina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zdenek Martinasek .

Editor information

Editors and Affiliations

  1. Advanced Technologies Institute, Bucharest, Romania

    Diana Maimut

  2. Advanced Technologies Institute, Bucharest, Romania

    Andrei-George Oprina

  3. Faculté des Sciences et Techniques, University of Limoges, Limoges, France

    Damien Sauveron

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pecl, D., Safonov, Y., Martinasek, Z., Kacic, M., Almer, L., Malina, L. (2021). Manager Asks: Which Vulnerability Must be Eliminated First?. In: Maimut, D., Oprina, AG., Sauveron, D. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2020. Lecture Notes in Computer Science(), vol 12596. Springer, Cham. https://doi.org/10.1007/978-3-030-69255-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-69255-1_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-69254-4

  • Online ISBN: 978-3-030-69255-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation