亚洲AV

New scoring framework addresses software vulnerabilities

In This Story

People Mentioned in This Story
Body

The 亚洲AV 聽has launched the Mason Vulnerability Scoring Framework (MVSF), which publishes a continuously updated ranking of the most-common global software weaknesses. The work, in conjunction with 聽(Palo Alto Research Center), relies on the (NIST)鈥擟ommon Vulnerabilities and Exposures data and other sources of vulnerability information to create an up-to-date database that can be used to identify and mitigate risks. This line of work has resulted in multiple pending patent applications and a Best Paper Award at the 19th International Conference on Security and Cryptography.

Graphic with blue computer code and yellow locks on a black background
Cybersecurity code with 1s and 0s
Photo provided by iStock images

Liza Wilson Durant, Mason鈥檚 associate provost for strategic initiatives and community engagement, says, "This preemptive tool to guide strategic defense against cybersecurity vulnerabilities will not only safeguard systems but mitigate potential business revenue losses for those who leverage the tool.聽鈥溌

An existing list called the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses, compiled by The , has long been the industry standard. MVSF improves on the CWE Top 25 by having data input monthly, compared to MITRE鈥檚 yearly reporting. This improvement allows researchers, programmers, developers, and others to have an accurate, almost real-time picture of where software vulnerabilities are most likely to be exploited. Additionally, where MITRE ranks the top 25 vulnerabilities, MVSF ranks the top 150.

Associate Professor, 聽and Associate Director, , Max Albanese oversees the project for Mason. He says, 鈥淚f there is a trend where a certain type of vulnerability is becoming more severe, you don鈥檛 have to wait for a full year to discover that; you鈥檒l see that class of vulnerability getting worse 鈥 or better 鈥 month-to-month.鈥澛 MVSF can even correct course based on new information, going back and re-ranking weaknesses鈥 order in a previous month based on new information that was not known at the time of original ranking.

Albanese further notes that NIST assigns a severity score to vulnerabilities based on a combination of an exploitability score 鈥 how difficult the vulnerability is to exploit 鈥 and an impact score 鈥 how bad the consequences would be if the vulnerability were exploited. MVSF uses those components as variables but allows users to add their own, additional variables not considered by NIST. MVSF also allows users to decide how to weigh the variables that rank the vulnerabilities. This customizability, still under development, is an important feature of the new system.

Mason and PARC鈥檚 collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

The association with PARC here was important to making the project a success. 鈥淲orking with GMU was a productive collaboration,鈥 says Marc Mosko, principal scientist,聽PARC. 鈥淐onfiguration vulnerabilities are growing, now comprising over 15 percent of all Common Vulnerability and Exposure (CVE) notices. We appreciate that across many different industry sectors, there are often gaps in context between management, software security teams, and those who are responsible for ensuring systems are performing optimally on an ongoing basis. Our work addresses these evolving configuration security needs, and we look forward to exploring opportunities to apply this work in the future.鈥

Mason and PARC鈥檚 collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) program in a project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

Albanese, who is also an external consultant for MITRE, has initiated a collaboration with MITRE鈥檚 group responsible for CWE to leverage synergies between the two organizations.

In addition to the excitement of the innovation, it is equally impactful to see undergraduate students involved in its design and implementation and innovating alongside their mentor faculty,"聽says Wilson Durant.

The will provide continued support for two Mason undergraduate students to assist with the project, which Albanese says is key for the continued maintenance of the system.