New scoring framework addresses software vulnerabilities

In This Story

People Mentioned in This Story
Body

The George Mason University College of Engineering and Computing has launched the Mason Vulnerability Scoring Framework (MVSF), which publishes a continuously updated ranking of the most-common global software weaknesses. The work, in conjunction with PARC (Palo Alto Research Center), relies on the National Institute of Standards and Technology’s (NIST)—Common Vulnerabilities and Exposures data and other sources of vulnerability information to create an up-to-date database that can be used to identify and mitigate risks. This line of work has resulted in multiple pending patent applications and a Best Paper Award at the 19th International Conference on Security and Cryptography.

graphic of computer code

Liza Wilson Durant, Mason’s associate provost for strategic initiatives and community engagement, says, "This preemptive tool to guide strategic defense against cybersecurity vulnerabilities will not only safeguard systems but mitigate potential business revenue losses for those who leverage the tool. “ 

An existing list called the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses, compiled by The MITRE Corporation, has long been the industry standard. MVSF improves on the CWE Top 25 by having data input monthly, compared to MITRE’s yearly reporting. This improvement allows researchers, programmers, developers, and others to have an accurate, almost real-time picture of where software vulnerabilities are most likely to be exploited. Additionally, where MITRE ranks the top 25 vulnerabilities, MVSF ranks the top 150.

Associate Professor, Department of Information Sciences and Technology and Associate Director, Center for Secure Information Systems, Max Albanese oversees the project for Mason. He says, “If there is a trend where a certain type of vulnerability is becoming more severe, you don’t have to wait for a full year to discover that; you’ll see that class of vulnerability getting worse – or better – month-to-month.”  MVSF can even correct course based on new information, going back and re-ranking weaknesses’ order in a previous month based on new information that was not known at the time of original ranking.

Albanese further notes that NIST assigns a severity score to vulnerabilities based on a combination of an exploitability score – how difficult the vulnerability is to exploit – and an impact score – how bad the consequences would be if the vulnerability were exploited. MVSF uses those components as variables but allows users to add their own, additional variables not considered by NIST. MVSF also allows users to decide how to weigh the variables that rank the vulnerabilities. This customizability, still under development, is an important feature of the new system.

Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

The association with PARC here was important to making the project a success. “Working with GMU was a productive collaboration,” says Marc Mosko, principal scientist, PARC. “Configuration vulnerabilities are growing, now comprising over 15 percent of all Common Vulnerability and Exposure (CVE) notices. We appreciate that across many different industry sectors, there are often gaps in context between management, software security teams, and those who are responsible for ensuring systems are performing optimally on an ongoing basis. Our work addresses these evolving configuration security needs, and we look forward to exploring opportunities to apply this work in the future.”

Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) program ConSec in a project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

Albanese, who is also an external consultant for MITRE, has initiated a collaboration with MITRE’s group responsible for CWE to leverage synergies between the two organizations.

In addition to the excitement of the innovation, it is equally impactful to see undergraduate students involved in its design and implementation and innovating alongside their mentor faculty," says Wilson Durant.

The Virginia Commonwealth Cyber Initiative (CCI) will provide continued support for two Mason undergraduate students to assist with the project, which Albanese says is key for the continued maintenance of the system.