Yazılım Güvenlik Açığı Veri Tabanları
Year 2021,
Issue: 28, 1008 - 1012, 30.11.2021
Hakan Kekül
,
Burhan Ergen
,
Halil Arslan
Abstract
Bir yazılım bileşeninin güvenlik açığı eğiliminin öngörülmesi, yazılım mühendisliğinin zorlayıcı araştırma alanlarından biridir. Bir bileşenin güvenlik açığı eğilimi hakkında önceden bilgi sahibi olmak, test çabasını ve süreyi önemli ölçüde azaltabilir. Yazılım güvenlik açıklarının belirlenmesi ve sınıflandırılması geliştiricilere yazılımın geliştirilmesinde doğru karar verme noktasında yardımcı olacaktır. Bu sebeple yazılımlarda tespit edilen açıklar çok uzun zamandır veri tabanlarına kaydedilmektedir. Farklı araştırma grupları tarafından pek çok veri tabanı oluşmuştur. Bu çeşitlilik her veri tabanına kendi içinde avantajlar ve dezavantajlar sağlamıştır. Bu çalışmada araştırmacıların çalışmalarında hangi veri tabanını kullanacaklarına karar vermelerine yardımcı olmak ve literatürde kullanılan en güncel ve erişime açık olanların sistematik bir listesi oluşturulmuştur. Yazılım güvenlik açığı tespiti ve sınıflandırmasında kullanan birçok farklı veri tabanının incelenmesi ve karşılaştırması yer almaktadır. Çalışmanın sonunda sonuçlar sunulmuş ve gelecekteki çalışmalar için yönlendirici tavsiyeler verilmiştir.
Supporting Institution
Türkiye Bilimsel ve Teknolojik Araştırma Kurumu (TÜBİTAK)
References
- Committee, IEEE Standards Coordinating, and others. 1990. “IEEE Standard Glossary of Software Engineering Terminology (IEEE Std 610.12-1990). Los Alamitos.” CA: IEEE Computer Society 169.
- CVE. 2020. “CVE.” Common Vulnerabilities and Exposures. https://cve.mitre.org (July 25, 2020).
- ExploitDB. 2020. “Exploit Database.” https://www.exploit-db.com (July 25, 2020).
- Fang, Yong, Yongcheng Liu, Cheng Huang, and Liang Liu. 2020. “Fastembed: Predicting Vulnerability Exploitation Possibility Based on Ensemble Machine Learning Algorithm.” PLoS ONE 15(2): 1–28. http://dx.doi.org/10.1371/journal.pone.0228439.
- Ghaffarian, Seyed Mohammad, and Hamid Reza Shahriari. 2017. “Software Vulnerability Analysis and Discovery Using Machine-Learning and Data-Mining Techniques: A Survey.” ACM Computing Surveys 50(4).
- Kekül, H., Ergen, B., & Arslan, H. (2021). A multiclass hybrid approach to estimating software vulnerability vectors and severity score. Journal of Information Security and Applications, 63, 103028.
- Kekül, H., Ergen, B., & Arslan, H. (2021). A New Vulnerability Reporting Framework for Software Vulnerability Databases.
- Krsul, Ivan Victor. 1998. “Software Vulnerability Analysis.” Purdue University.
- “Mitre Corporation.” 2020. https://www.mitre.org (July 25, 2020).
- Miyamoto, Daisuke, Yasuhiro Yamamoto, and Masaya Nakayama. 2017. “Text-Mining Approach for Estimating Vulnerability Score.” Proceedings - 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2015: 67–73.
- NVD. 2020. “NVD.” National Vulnerability Database. https://nvd.nist.gov (July 25, 2020).
- Ozment, Andy. 2007. “Improving Vulnerability Discovery Models: Problems with Definitions and Assumptions.” Proceedings of the ACM Conference on Computer and Communications Security: 6–11.
- Raducu, Razvan, Gonzalo Esteban, Francisco J.Rodríguez Lera, and Camino Fernández. 2020. “Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation.” Applied Sciences (Switzerland) 10(4).
- Rapid7. 2020. “Rapid7.” https://www.rapid7.com/db/ (July 25, 2020).
- SARD. 2020. “SARD-Software Assurance Reference Dataset Project.” https://samate.nist.gov (July 25, 2020).
- SecurityFocus. 2020. “SecurityFocus.” https://www.securityfocus.com (July 25, 2020).
- Snyk. 2020. “Snyk.” https://snyk.io (July 25, 2020).
- Spanos, Georgios, and Lefteris Angelis. 2018. “A Multi-Target Approach to Estimate Software Vulnerability Characteristics and Severity Scores.” Journal of Systems and Software 146: 152–66. https://doi.org/10.1016/j.jss.2018.09.039.
- Theisen, Christopher, and Laurie Williams. 2020. “Better Together: Comparing Vulnerability Prediction Models.” Information and Software Technology 119(August 2019).
- Wu, Xiaoxue et al. 2020. “CVE-Assisted Large-Scale Security Bug Report Dataset Construction Method.” Journal of Systems and Software 160: 110456. https://doi.org/10.1016/j.jss.2019.110456.
- Yang, Heedong, Seungsoo Park, Kangbin Yim, and Manhee Lee. 2020. “Better Not to Use Vulnerability’s Reference for Exploitability Prediction.” Applied Sciences (Switzerland) 10(7).
Software Vulnerability Databases
Year 2021,
Issue: 28, 1008 - 1012, 30.11.2021
Hakan Kekül
,
Burhan Ergen
,
Halil Arslan
Abstract
Predicting the vulnerability propensity of a software component is one of the challenging research areas of software engineering. Having prior knowledge of a component's vulnerability propensity can significantly reduce testing effort and time. Identifying and classifying software vulnerabilities will assist developers in making the right decision in software development. For this reason, vulnerabilities detected in software have been recorded in databases for a very long time. Many databases have been created by different research groups. This diversity has provided advantages and disadvantages to each database. In this study, a systematic list of the most up-to-date and accessible ones used in the literature was created to help researchers decide which database to use in their studies. There is a review and comparison of many different databases used in software vulnerability detection and classification. At the end of the study, the results are presented and guiding recommendations for future work are given.
References
- Committee, IEEE Standards Coordinating, and others. 1990. “IEEE Standard Glossary of Software Engineering Terminology (IEEE Std 610.12-1990). Los Alamitos.” CA: IEEE Computer Society 169.
- CVE. 2020. “CVE.” Common Vulnerabilities and Exposures. https://cve.mitre.org (July 25, 2020).
- ExploitDB. 2020. “Exploit Database.” https://www.exploit-db.com (July 25, 2020).
- Fang, Yong, Yongcheng Liu, Cheng Huang, and Liang Liu. 2020. “Fastembed: Predicting Vulnerability Exploitation Possibility Based on Ensemble Machine Learning Algorithm.” PLoS ONE 15(2): 1–28. http://dx.doi.org/10.1371/journal.pone.0228439.
- Ghaffarian, Seyed Mohammad, and Hamid Reza Shahriari. 2017. “Software Vulnerability Analysis and Discovery Using Machine-Learning and Data-Mining Techniques: A Survey.” ACM Computing Surveys 50(4).
- Kekül, H., Ergen, B., & Arslan, H. (2021). A multiclass hybrid approach to estimating software vulnerability vectors and severity score. Journal of Information Security and Applications, 63, 103028.
- Kekül, H., Ergen, B., & Arslan, H. (2021). A New Vulnerability Reporting Framework for Software Vulnerability Databases.
- Krsul, Ivan Victor. 1998. “Software Vulnerability Analysis.” Purdue University.
- “Mitre Corporation.” 2020. https://www.mitre.org (July 25, 2020).
- Miyamoto, Daisuke, Yasuhiro Yamamoto, and Masaya Nakayama. 2017. “Text-Mining Approach for Estimating Vulnerability Score.” Proceedings - 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2015: 67–73.
- NVD. 2020. “NVD.” National Vulnerability Database. https://nvd.nist.gov (July 25, 2020).
- Ozment, Andy. 2007. “Improving Vulnerability Discovery Models: Problems with Definitions and Assumptions.” Proceedings of the ACM Conference on Computer and Communications Security: 6–11.
- Raducu, Razvan, Gonzalo Esteban, Francisco J.Rodríguez Lera, and Camino Fernández. 2020. “Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation.” Applied Sciences (Switzerland) 10(4).
- Rapid7. 2020. “Rapid7.” https://www.rapid7.com/db/ (July 25, 2020).
- SARD. 2020. “SARD-Software Assurance Reference Dataset Project.” https://samate.nist.gov (July 25, 2020).
- SecurityFocus. 2020. “SecurityFocus.” https://www.securityfocus.com (July 25, 2020).
- Snyk. 2020. “Snyk.” https://snyk.io (July 25, 2020).
- Spanos, Georgios, and Lefteris Angelis. 2018. “A Multi-Target Approach to Estimate Software Vulnerability Characteristics and Severity Scores.” Journal of Systems and Software 146: 152–66. https://doi.org/10.1016/j.jss.2018.09.039.
- Theisen, Christopher, and Laurie Williams. 2020. “Better Together: Comparing Vulnerability Prediction Models.” Information and Software Technology 119(August 2019).
- Wu, Xiaoxue et al. 2020. “CVE-Assisted Large-Scale Security Bug Report Dataset Construction Method.” Journal of Systems and Software 160: 110456. https://doi.org/10.1016/j.jss.2019.110456.
- Yang, Heedong, Seungsoo Park, Kangbin Yim, and Manhee Lee. 2020. “Better Not to Use Vulnerability’s Reference for Exploitability Prediction.” Applied Sciences (Switzerland) 10(7).