Managing Publicly Known Security Vulnerabilities in Software Systems

Abstract

Monitoring security vulnerabilities (weaknesses in software systems) is very important for organizations. Third parties such as National Institute of Standards and Technology (NIST) regularly publish vulnerability reports to secure national networks and protect business interests. The main challenge in this context is that the software systems against which the vulnerabilities are published are typically known differently to various stake holders that consume those vulnerable software systems. For instance, an organization may refer to one of its software components as my.program.js, however NIST may report a vulnerability on that particular software component as $org\lrcorner Jrogram\lrcorner S$ according to their standards. Thousands of vulnerabilities are reported against millions of software compo- nents every year, which makes this problem very complex. In this paper, we propose a system that matches imprecise pieces of data to track vulnerabilities in software systems. The heart of the proposed system is a text mining technique that is capable of searching vulnerabilities from large volumes of data regardless of how the software systems are named. Our extensive experiments with real datasets reveal that the proposed system is capable of capturing vulnerabilities with more than 90% accuracy.