Vulnerability Response Decision Assistance
Each year, thousands of new software vulnerabilities are reported, and affected organizations must analyze them and decide how to respond. Many organizations employ ad hoc systems of decision making, which often result in inconsistent decisions that do not properly reflect the concerns of the organization at large. VRDA (Vulnerability Response Decision Assistance) allows organizations to leverage the analysis effort at other organizations and to structure decision-making. VRDA enables organizations to spend less time analyzing vulnerabilities in which they are not interested, to make decisions more consistently, and to structure their decision making to better align with the goals of the organization. VRDA consists of a data exchange format, a decision making model, a decision model creation technique, and a tool embodying these concepts. One response team is employing a basic form of VRDA to cut the number of vulnerabilities analyzed by a factor of two. Another response team is developing and testing a VRDA implementation within their organization.
KeywordsResponse Decision Response Team World Fact Arbitrary Code Software Vulnerability
Unable to display preview. Download preview PDF.
- CERT/CC Statistics 1988 – 2006, http://www.cert.org/stats/
- National Vulnerability Database (NVD) Statistics, http://nvd.nist.gov/statistics.cfm
- Terada, M.: VULDEF: The VULnerability Data publication and Exchange Format data model, http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html
- Moore, A.: Decision Trees, http://www.autonlab.org/tutorials/dtree.html
- RUS-CERT: Common Announcement Interchange Format (CAIF), http://www.caif.info/
- Grobauer, B.: CVE, CME,..., CMSI? – Standardizing System Information, http://www.first.org/conference/2005/papers/dr.-bernd-grobauer-paper-1.pdf
- European Information Security Promotion Programme (EISPP): Common Advisory Format Description 2.0, http://www.eispp.org/commonformat_2_0.pdf
- Deutscher CERT-Verbund: Deutsches Advisory Format (DAF), http://www.cert-verbund.de/daf/index.html, 2004.
- CERIAS Cassandra tool, https://cassandra.cerias.purdue.edu/main/index.html
- US-CERT Vulnerability Notes Field Descriptions – Metric, http://www.kb.cert.org/vuls/html/fieldhelp#metric
- Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/
- Vulnerability and Assessment Language (OVAL), http://oval.mitre.org/
- Vulnerability and eXposure Markup Language (VuXML), http://www.vuxml.org/
- OSVDB: The Open Source Vulnerability Database, http://osvdb.org/