Time-related vulnerability lookahead extension to the CVE

Abstract

Software scanning against the vulnerability database is one of the regular activities required by all information security management standards. However, the nature of the scanning system itself is reactive; a vulnerability has to be found, then the announcement made, with (and sometimes without) fixes. However, there exist classes of knowledge that are significant, reliable, and can be easily obtained, but are not represented in the vulnerability database. One such knowledge is the time-related vulnerabilities that signify the increasing risk of the system through time. We therefore explore the design and implementation in representing and appending this information, and thus propose an extension to the original Common Vulnerabilities and Exposures (CVE) database, called Time-Related Vulnerability Lookahead Extension to the CVE (T-CVE). This extension would complement the classical CVE in providing a publicly early-warning system so that the information security managers will be able to proactively assess their resources' C-I-A risks through trend analysis and will be able to mitigate them in a timely fashion. This work will initially focus on four proactive time-related information categories, namely the obsolete (software) platform, out-of-date (malware) signature, (hardware) degradation due to wear-and-tear, and (software) expiry. Obviously, other categories can later be similarly appended based on this framework.