Comparison and Analysis of Software Vulnerability Databases

Full Text (PDF, 548KB), PP.1-14

Views: 0 Downloads: 0

Author(s)

Hakan Kekul 1,2,* Burhan Ergen 3 Halil ARSLAN 4

1. University of Fırat, Institute of Science, Elazığ Turkey

2. Sivas Information Technology Technical High School, Diriliş Mahallesi Rüzgarli Sokak No 21 Sivas, Turkey.

3. University of Fırat, Faculty of Engineering, Computer Engineering Department, Elazığ Turkey

4. University of Sivas Cumhuriyet, Faculty of Engineering, Computer Engineering Department, Sivas Turkey.

* Corresponding author.

DOI: https://doi.org/10.5815/ijem.2022.04.01

Received: 26 Apr. 2022 / Revised: 11 May 2022 / Accepted: 27 May 2022 / Published: 8 Aug. 2022

Index Terms

Software Security, Software Vulnerability, Vulnerability Databases, Information Securty, Cyber Security

Abstract

In order to protect information systems against threats and vulnerabilities, security breaches should be analyzed. In this case, analysts primarily conduct intelligence research through open source systems. In particular, vulnerability databases stand out as the most preferred references at this stage. At this point, our study will be the main reference for the verification of vulnerability analysis. It will assist in the planning of testing processes, patches and updates in the development of software. Moreover, it will create a perspective in this field, enabling readers to understand the concept of software security and databases.  In addition to unique advantages of this diversity, this has also led to some disadvantages. Our study focused on the reasons behind the creation of different databases. In addition, its advantages and disadvantages have been clearly demonstrated. First, the databases used were determined by examining the academic studies in the field of software security vulnerabilities. Twelve different databases used in the literature were identified. However, among these, the ones that are current and accessible to researchers were selected. As a result of this screening process, seven different databases were included in this study. The determined databases were examined in detail and explained. Then, databases were compared according to certain criteria. The data obtained as a result of the comparison are presented in detail. In this study, a systematic review of up-to-date and accessible vulnerability databases that are widely used in the literature is presented to help researchers decide which database to use.

Cite This Paper

Hakan KEKÜL, Burhan ERGEN, Halil ARSLAN, "Comparison and Analysis of Software Vulnerability Databases", International Journal of Engineering and Manufacturing (IJEM), Vol.12, No.4, pp. 1-14, 2022. DOI:10.5815/ijem.2022.04.01

Reference

[1]H. Kekül, B. Ergen, H. Arslan, A multiclass hybrid approach to estimating software vulnerability vectors and severity score, J. Inf. Secur. Appl. 63 (2021) 103028. https://doi.org/https://doi.org/10.1016/j.jisa.2021.103028.

[2]H. Kekül, B. Ergen, H. Arslan, A New Vulnerability Reporting Framework for Software Vulnerability Databases, Int. J. Educ. Manag. Eng. 11 (2021) 11–19. https://doi.org/10.5815/ijeme.2021.03.02.

[3]S. Zhang, X. Ou, D. Caragea, Predicting Cyber Risks through National Vulnerability Database, Inf. Secur. J. A Glob. Perspect. 24 (2015) 194–206. https://doi.org/10.1080/19393555.2015.1111961.

[4]L.P. Kobek, The State of Cybersecurity in Mexico: An Overview, Wilson Centre’s Mex. Institute, Jan. (2017).

[5]T.W. Moore, C.W. Probst, K. Rannenberg, M. van Eeten, Assessing ICT Security Risks in Socio-Technical Systems (Dagstuhl Seminar 16461), Dagstuhl Reports. 6 (2017) 63–89. https://doi.org/10.4230/DagRep.6.11.63.

[6]J. Ruohonen, A look at the time delays in CVSS vulnerability scoring, Appl. Comput. Informatics. 15 (2019) 129–135. https://doi.org/10.1016/j.aci.2017.12.002.

[7]C. Theisen, L. Williams, Better together: Comparing vulnerability prediction models, Inf. Softw. Technol. 119 (2020). https://doi.org/10.1016/j.infsof.2019.106204.

[8]C.W. Samuel Ndichu, Sylvester McOyowo, Henry Okoyo, A Remote Access Security Model based on Vulnerability Management, Int. J. Inf. Technol. Comput. Sci. 12 (2020) 38–51. https://doi.org/10.5815/ijitcs.2020.05.03.

[9]H. Kekül, B. Ergen, H. Arslan, Yazılım Güvenlik Açığı Veri Tabanları, Avrupa Bilim ve Teknol. Derg. (2021) 1008–1012.

[10]S.M. Ghaffarian, H.R. Shahriari, Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey, ACM Comput. Surv. 50 (2017). https://doi.org/10.1145/3092566.

[11]X. Wu, W. Zheng, X. Chen, F. Wang, D. Mu, CVE-assisted large-scale security bug report dataset construction method, J. Syst. Softw. 160 (2020) 110456. https://doi.org/10.1016/j.jss.2019.110456.

[12]Y. Fang, Y. Liu, C. Huang, L. Liu, Fastembed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm, PLoS One. 15 (2020) 1–28. https://doi.org/10.1371/journal.pone.0228439.

[13]H. Yang, S. Park, K. Yim, M. Lee, Better not to use vulnerability’s reference for exploitability prediction, Appl. Sci. 10 (2020). https://doi.org/10.3390/app10072555.

[14]R. Raducu, G. Esteban, F.J.R. Lera, C. Fernández, Collecting vulnerable source code from open-source repositories for dataset generation, Appl. Sci. 10 (2020). https://doi.org/10.3390/app10041270.

[15]D. Miyamoto, Y. Yamamoto, M. Nakayama, Text-mining approach for estimating vulnerability score, Proc. - 2015 4th Int. Work. Build. Anal. Datasets Gather. Exp. Returns Secur. BADGERS 2015. (2017) 67–73. https://doi.org/10.1109/BADGERS.2015.12.

[16]E. Yasasin, J. Prester, G. Wagner, G. Schryen, Forecasting IT security vulnerabilities – An empirical analysis, Comput. Secur. 88 (2020) 101610. https://doi.org/10.1016/j.cose.2019.101610.

[17]I.V. Krsul, Software vulnerability analysis, Purdue University, 1998.

[18]A. Ozment, Improving vulnerability discovery models: Problems with definitions and assumptions, Proc. ACM Conf. Comput. Commun. Secur. (2007) 6–11. https://doi.org/10.1145/1314257.1314261.

[19]I.S.C. Committee, others, IEEE Standard Glossary of Software Engineering Terminology (IEEE Std 610.12-1990). Los Alamitos, CA IEEE Comput. Soc. 169 (1990).

[20]G. Schryen, Security of open source and closed source software: An empirical comparison of published vulnerabilities, AMCIS 2009 Proc. (2009) 387.

[21]A. Kuehn, M. Mueller, Shifts in the cybersecurity paradigm: Zero-day exploits, discourse, and emerging institutions, in: Proc. 2014 New Secur. Paradig. Work., 2014: pp. 63–68.

[22]O. Bozoklu, C.Z. Çil, Yazılım Güvenlik Açığı Ekosistemi Ve Türkiye’deki Durum Değerlendirmesi, Uluslararası Bilgi Güvenliği Mühendisliği Derg. 3 (2017) 6–26.

[23]Mitre Corporation, (2020). https://www.mitre.org (accessed July 25, 2020).

[24]CVE, CVE, Common Vulnerabilities Expo. (2020). https://cve.mitre.org (accessed July 25, 2020).

[25]G. Schryen, Is Open Source Security a Myth?, Commun. ACM. 54 (2011) 130–140. https://doi.org/10.1145/1941487.1941516.

[26]NVD, NVD, Natl. Vulnerability Database. (2020). https://nvd.nist.gov (accessed July 25, 2020).

[27]ExploitDB, Exploit Database, (2020). https://www.exploit-db.com (accessed July 25, 2020).

[28]SecurityFocus, SecurityFocus, (2020). https://www.securityfocus.com (accessed July 25, 2020).

[29]Rapid7, Rapid7, (2020). https://www.rapid7.com/db/ (accessed July 25, 2020).

[30]Snyk, Snyk, (2020). https://snyk.io (accessed July 25, 2020).

[31]SARD, SARD-Software Assurance Reference Dataset Project, (2020). https://samate.nist.gov (accessed July 25, 2020).

[32]G. Spanos, L. Angelis, A multi-target approach to estimate software vulnerability characteristics and severity scores, J. Syst. Softw. 146 (2018) 152–166. https://doi.org/10.1016/j.jss.2018.09.039.

[33]E.R. Russo, A. Di Sorbo, C.A. Visaggio, G. Canfora, Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activities, J. Syst. Softw. 156 (2019) 84–99. https://doi.org/10.1016/j.jss.2019.06.001.