A Software Vulnerability Management Framework for the Minimization of System Attack Surface and Risk
Abstract
:1. Introduction
1.1. Software-Related Security Issues in IoT Software
1.2. Assessing the Security of IoT Software
2. Materials and Methods
2.1. Architecture of the Proposed Framework
2.2. The Additional Testsuite Framework: An Overview
- Tests are written once, and can be flexibly associated with any number of software programs and versions, limiting the effort and complexity needed for the maintenance of test cases.
- It supports dynamic/selective program builds that include only the portions of the software that match some designated functionality.
- For software applications that are developed or organized according to the featured-based development paradigm [37], builds can be tailored to create executables that only support a subset of the available features.
- It can underpin the localization of bugs introduced during software evolution, including regression bugs, through the comparison of code in versions producing erroneous results against the code in versions yielding correct results.
- It can facilitate documentation compilation, since functionality-oriented and feature-based tests can be included in documentation on the functionality/feature they pertain to, serving as examples of the specific functionality/feature as well as providing examples of usage.
2.3. Feature Management Using the ATF
- ATF consults the environment variable FEATURE_LIST, which includes the path to a feature-tailoring configuration file listing the features that should be enabled in the specific software build; for each feature, the relevant version that should be enabled is also specified, as illustrated in Listing 1. Then, ATF arranges so that the tailored software bundle includes the relevant code realizing the specific features, retrieving the respective code from relevant repositories.
- ATF scans the code for instances of the @ATFeature annotation; this annotation is associated to methods and specifies the features that need to be enabled for the method to be included in the final executable, effectively thus providing an advanced conditional compilation mechanism. More specifically, the @ATFeature annotation lists the program features that the specific method is dependent on, and during the tailoring procedure the ATF matches these features against the feature tailoring configuration specified via the FEATURE_LIST environment variable, and arranges so that the method implementation code is included in the tailored version of the software if all the specified features are enabled via FEATURE_LIST and the version of each enabled feature also matches the designated version range. Listing 2 presents an example of the usage of the @ATFeature annotation.
Listing 1. Example FEATURE_LIST file contents. |
jaxrs,2.3.1 |
jaxb,2.4.0 |
jsonp,1.2 |
cdi,2.1 |
localConnector,1.1 |
servlet,4.1.34 |
Listing 2. Example usage of the @ATFeature. |
@ATFeature(feature ={"jaxrs, jaxb, jsonp, cdi, localConnector, servlet"}, |
minVersion ={"2.1, 2.2, 1.1, 2.0, 1.0, 4.0"}, |
maxVersion ={"null, null, null, null, null, null"}) |
public void doJaxRs () throws Exception {// Feature-dependent code} |
2.4. Static Code Analysis for Vulnerability Detection
- A textual description of the issue;
- A designation of the estimated severity of the issue, which may be INFO, MINOR, MAJOR, CRITICAL, or BLOCKER;
- The component (directly identifying the source file) and the range of the code lines where the security issue was found;
- the SonarQube security rule that triggered the vulnerability flagging;
- An estimate of the technical debt associated with the vulnerability, i.e., the time needed to modify the code in order to eliminate the security issue.
2.5. Vulnerability Impact Estimation
- The rule is looked up in the SonarQube rules database (https://rules.sonarsource.com/, accessed on 14 May 2023) and its full record is retrieved. This record includes:
- Common weakness enumeration (CWE) identifiers. CWE identifiers are codes assigned to typical security-related code anti-patterns, i.e., patterns of code that are known to lead to vulnerabilities. For instance the java/RSPEC-6437 SonarQube security rule (https://rules.sonarsource.com/java/RSPEC-6437, accessed on 14 May 2023) is linked to the CWE-798—use of hard-coded credentials (https://cwe.mitre.org/data/definitions/798.html, accessed on 14 May 2023) and the CWE-259—of hard-coded password weaknesses (https://cwe.mitre.org/data/definitions/259.html, accessed on 14 May 2023). These identifiers are saved and used in the vulnerability impact estimation, as described below.
- A detailed description of the vulnerability, including an explanation of the mechanics of the code anti-pattern, a substantiation of why the anti-pattern leads to vulnerabilities, and recommendations on how the code can be transformed to eliminate the vulnerability. This information is saved, to be presented to software security experts and to assist them in their vulnerability remediation tasks.
- Subsequently, the vulnerability management framework applies a statistical approach to compute an estimate of the security issue. More specifically, the vulnerability management framework utilizes the information present in the common vulnerability enumeration (CVE) database (https://cve.mitre.org/data/downloads/, accessed on 14 May 2023) to identify known vulnerabilities that owed to the exact same code anti-patterns to which the current security issue is associated to. This database will be denoted as VulDB. For each vulnerability , the following fields are retrieved:
- , which corresponds to the id of the vulnerability
- , which denotes the set of common weaknesses to which the vulnerability is associated. For instance, for the vulnerability with an ID equal to CVE-2009-0003 it holds that , i.e., vulnerability CVE-2009-0003 is associated with the CWE having an ID equal to CWE-119, corresponding to the anti-pattern of improper restriction of operations within the bounds of a memory buffer (https://cwe.mitre.org/data/definitions/119.html, accessed on 14 May 2023), commonly referred to as buffer overflow.
- , which corresponds to the impact of the vulnerability, i.e., a measure of the adverse effects that the exploitation of the vulnerability by attackers may have on the platform. The value of is assigned by human experts, after careful review of the application code.
2.6. Prioritizing Security Fixes
- The importance of each security dimension, either globally or per specific software deployment. For instance, a web server may be used to make a public database available, and the integrity of the database records may be deemed more important than the availability of the service, while confidentiality may be considered of low importance (since the database is public). On the contrary, for a web server managing a health record database, all the security dimensions (confidentiality, integrity, and availability) may be deemed of high importance.
- The importance of each software deployment. In the previous example, the impact of any demotion of the value of the public database may be deemed to be lower than the impact of a corresponding demotion in the value of the medical record database.
- Firstly, the optimization target is formulated. Since the goal of the optimization is the minimization of the residual risk, which is mapped to the impact of the software vulnerabilities that remain unfixed, the objective function of the integer programming problem is
- Subsequently, the cost of implementing fixes to the security issues is calculated using the formulaIn Equation (4) the cost of fixing a security issue is multiplied by variable positioning it so that only the cost of fixes that are selected to be applied is considered.
- Finally, the security budget constraint is applied, which is formulated as follows:The solution of the integer programming optimization problem is a set of value assignments to variables
3. Results
- Software components implementing the five most widely used technologies in IoT networks [41], both individually and as elements of an IoT platform;
- An indicative small office/home office (SOHO) configuration.
- BCMM, i.e., an approach according to which vulnerabilities are processed according to the characterization assigned by the SonarQube analysis [42], and more specifically blocker vulnerabilities are handled first, followed by vulnerabilities characterized as critical, major, and minor, in that order. Considering that for the vulnerabilities reported by Sonar, only the technical debt (fix time) is available, three variants of BCMM are considered, namely (a) , where within each categorization, vulnerabilities with the shortest fix time are handled first, (b) , where within each categorization vulnerabilities with the largest technical debt are handled first, and (c) , where vulnerabilities within each categorization are considered in random order.
- IMM: According to the descriptions given for SonarQube vulnerability characterizations [42], blocker issues are bugs with a high probability to impact the behavior of the application in production, and should be fixed immediately and critical issues are bugs with a low probability to impact the behavior of the application in production or issues that represent security flaw vulnerabilities and must also be fixed immediately. Since both classes are designated to require immediate handling, in the IMM approach they are merged to a single class, immediate, while issues in the major and minor classes are retained in their original characterization. Similarly to the BCMM approach, three variants are considered, namely , , and .
3.1. Experiments for the Commonly Used IoT Technologies
- The advanced message-queuing protocol (AMQP), an open standard protocol used for message exchange, including publish/subscribe and point-to-point, as well as queues [43],
- Bluetooth and Bluetooth low-energy (BLE), a short-range communication protocol and its low-energy variant [44],
- Cellular communications, i.e., implementation of communication through cellular telephony netowrks (2G, 3G, 4G/LTE, and 5G),
- The constrained application protocol (CoAP) [45], a specialized internet protocol for devices with constrained resources (e.g., wireless sensors), which enables both (a) pairs or groups of devices running CoAP and (b) devices running CoAP and the internet.
- The data distribution service for real-time systems (DDS) [46], a networking middleware for realtime systems specified by the object management group (OMG), realizing data-centric publish-subscribe mechanisms which can be easily integrated in the application layer.
- AMQP was implemented using RabbitMQ v. 3.4.0 (https://github.com/rabbitmq/rabbitmq-server/tree/rabbitmq_v3_4_0, accessed on 14 May 2023),
- Bluetooth/Bluetooth LE was implemented using the Android 13 drivers (https://android.googlesource.com/kernel/msm/+/refs/tags/android-13.0.0_r0.1/drivers/bluetooth/, accessed on 14 May 2023)
- Cellular communications were implemented using Open5GS v. 2.1.3 (https://github.com/open5gs/open5gs/releases/tag/v2.1.3, accessed on 14 May 2023)
- CoAP was implemented using the CoAP library in Arm Mbed OS 5.14.0 (https://github.com/ARMmbed/mbed-os/releases/tag/mbed-os-5.14.0, accessed on 14 May 2023)
- DDS was implemented using OpenDDS v. 3.16.1 (https://github.com/OpenDDS/OpenDDS/releases/tag/DDS-3.16.1, accessed on 14 May 2023)
3.2. Experiments for the SOHO Configuration
- A router running PFsense (https://github.com/pfsense/pfsense/tree/a81a848e7565cf4b5e1679fe6d08c39d13ab7a6f, accessed on 14 May 2023),
- A NAS appliance running the Minnow Server (https://github.com/RealTimeLogic/MinnowServer, accessed on 14 May 2023)
- A smart air-conditioning appliance running the Pymodbus software (https://github.com/pymodbus-dev/pymodbus, accessed on 14 May 2023)
- A mobile phone and a PC which include Modbus4j software (https://github.com/MangoAutomation/modbus4j, accessed on 14 May 2023) in order to control the air-conditioning appliance.
4. Discussion
5. Conclusions
Author Contributions
Funding
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Grau, A.; Indri, M.; Bello, L.L.; Sauter, T. Industrial robotics in factory automation: From the early stage to the Internet of Things. In Proceedings of the IECON 2017—43rd Annual Conference of the IEEE Industrial Electronics Society, Beijing, China, 29 October–1 November 2017. [Google Scholar] [CrossRef]
- Grau, A.; Indri, M.; Bello, L.L.; Sauter, T. Robots in Industry: The Past, Present, and Future of a Growing Collaboration With Humans. IEEE Ind. Electron. Mag. 2021, 15, 50–61. [Google Scholar] [CrossRef]
- Barai, G.R.; Krishnan, S.; Venkatesh, B. Smart metering and functionalities of smart meters in smart grid—A review. In Proceedings of the 2015 IEEE Electrical Power and Energy Conference (EPEC), London, ON, Canada, 26–28 October 2015. [Google Scholar] [CrossRef]
- Coppola, R.; Morisio, M. Connected Car. ACM Comput. Surv. 2016, 49, 1–36. [Google Scholar] [CrossRef]
- Hussain, R.; Zeadally, S. Autonomous Cars: Research Results, Issues, and Future Challenges. IEEE Commun. Surv. Tutor. 2019, 21, 1275–1313. [Google Scholar] [CrossRef]
- Number of Internet of Things (IoT) Connected Devices Worldwide from 2019 to 2021, with Forecasts from 2022 to 2030. 2022. Available online: https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/ (accessed on 4 February 2023).
- The Internet of Things: A Movement, Not a Market. 2017. Available online: https://cdn.ihs.com/www/pdf/IoT-ebook.pdf (accessed on 4 February 2023).
- binti Mohamad Noor, M.; Hassan, W.H. Current research on Internet of Things (IoT) security: A survey. Comput. Netw. 2019, 148, 283–294. [Google Scholar] [CrossRef]
- Ali, R.F.; Muneer, A.; Dominic, P.D.D.; Taib, S.M.; Ghaleb, E.A.A. Internet of Things (IoT) Security Challenges and Solutions: A Systematic Literature Review. In Communications in Computer and Information Science; Springer: Singapore, 2021; pp. 128–154. [Google Scholar] [CrossRef]
- HaddadPajouh, H.; Dehghantanha, A.; Parizi, R.M.; Aledhari, M.; Karimipour, H. A survey on internet of things security: Requirements, challenges, and solutions. Internet Things 2021, 14, 100129. [Google Scholar] [CrossRef]
- Omolara, A.E.; Alabdulatif, A.; Abiodun, O.I.; Alawida, M.; Alabdulatif, A.; Alshoura, W.H.; Arshad, H. The internet of things security: A survey encompassing unexplored areas and new insights. Comput. Secur. 2022, 112, 102494. [Google Scholar] [CrossRef]
- Evaluators, I.S. SOHOpelessly Broken 2.0. 2019. Available online: https://www.ise.io/casestudies/sohopelessly-broken-2-0/ (accessed on 4 February 2023).
- Herwig, S.; Harvey, K.; Hughey, G.; Roberts, R.; Levin, D. Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet. In Proceedings of the 2019 Network and Distributed System Security Symposium, San Diego, CA, USA, 24–27 February 2019; Internet Society: Reston, VA, USA, 2019. [Google Scholar] [CrossRef]
- Bastos, G.; Marzano, A.; Fonseca, O.; Fazzion, E.; Hoepers, C.; Steding-Jessen, K.; Chaves, M.H.P.C.; Cunha, I.; Guedes, D.; Meira, W. Identifying and Characterizing Bashlite and Mirai C&C Servers. In Proceedings of the 2019 IEEE Symposium on Computers and Communications (ISCC), Barcelona, Spain, 29 June–3 July 2019. [Google Scholar] [CrossRef]
- Hiesgen, R.; Nawrocki, M.; Schmidt, T.C.; Wählisch, M. The Race to the Vulnerable: Measuring the Log4j Shell Incident. arXiv 2022, arXiv:2205.02544. [Google Scholar] [CrossRef]
- OpenLiberty Group. Open Liberty. 2023. Available online: https://openliberty.io/ (accessed on 4 February 2023).
- OpenLiberty Group. Open Liberty: Feature Overview. 2023. Available online: https://openliberty.io/docs/latest/reference/feature/feature-overview.html (accessed on 4 February 2023).
- Sotiropoulos, P.; Vassilakis, C. The additional testsuite framework: Facilitating software testing and test management. Int. J. Web Eng. Technol. 2022, 17, 296–334. [Google Scholar] [CrossRef]
- Al-boghdady, A.; Wassif, K.; El-ramly, M. The presence, trends, and causes of security vulnerabilities in operating systems of iot’s low-end devices. Sensors 2021, 21, 2329. [Google Scholar] [CrossRef] [PubMed]
- Kaur, A.; Nayyar, R. A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C/C++ and JAVA Source Code. Procedia Computer Science 2020, 171, 2023–2029. [Google Scholar] [CrossRef]
- OWASP. OWASP Code Review Guide v2; Technical Report; OWASP: Wakefield, MA, USA, 2017. [Google Scholar]
- Mathas, C.M.; Vassilakis, C.; Kolokotronis, N.; Zarakovitis, C.C.; Kourtis, M.A. On the design of IoT security: Analysis of software vulnerabilities for smart grids. Energies 2021, 14, 2818. [Google Scholar] [CrossRef]
- Schiller, E.; Aidoo, A.; Fuhrer, J.; Stahl, J.; Ziörjen, M.; Stiller, B. Landscape of IoT security. Comput. Sci. Rev. 2022, 44, 100467. [Google Scholar] [CrossRef]
- Calatayud, B.M.; Meany, L. A comparative analysis of Buffer Overflow vulnerabilities in High-End IoT devices. In Proceedings of the 2022 IEEE 12th Annual Computing and Communication Workshop and Conference, CCWC 2022, Las Vegas, NV, USA, 26–29 January 2022; pp. 694–701. [Google Scholar] [CrossRef]
- de Vicente Mohino, J.; Higuera, J.B.; Higuera, J.R.B.; Montalvo, J.A.S. The Application of a New Secure Software Development Life Cycle (S-SDLC) with Agile Methodologies. Electronics 2019, 8, 1218. [Google Scholar] [CrossRef]
- SAFECode. Fundamental Practices for Secure Software Development; Technical Report 3rd; SAFEcode: Wakefield, MA, USA, 2018. [Google Scholar]
- Rashid, A.; Chivers, H.; Danezis, G.; Lupu, E.; Martin, A. CyBok Version 1.0; Technical Report; CyBok: Bristol, UK, 2019. [Google Scholar]
- Dewhurst, R. OWASP Static Code Analysis; Technical Report; OWASP: Wakefield, MA, USA, 2023. [Google Scholar]
- Sachidananda, V.; Bhairav, S.; Ghosh, N.; Elovici, Y. PIT: A Probe Into Internet of Things by Comprehensive Security Analysis. In Proceedings of the 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), Rotorua, New Zealand, 5–8 August 2019; pp. 522–529. [Google Scholar] [CrossRef]
- Samtani, S.; Yu, S.; Zhu, H.; Patton, M.; Chen, H. Identifying SCADA vulnerabilities using passive and active vulnerability assessment techniques. In Proceedings of the 2016 IEEE Conference on Intelligence and Security Informatics (ISI), Tucson, AZ, USA, 28–30 September 2016; pp. 25–30. [Google Scholar] [CrossRef]
- Geneiatakis, D.; Kounelis, I.; Neisse, R.; Nai-Fovino, I.; Steri, G.; Baldini, G. Security and privacy issues for an IoT based smart home. In Proceedings of the 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia, 22–26 May 2017; pp. 1292–1297. [Google Scholar] [CrossRef]
- Overstreet, D.; Wimmer, H.; Haddad, R.J. Penetration Testing of the Amazon Echo Digital Voice Assistant Using a Denial-of-Service Attack. In Proceedings of the 2019 SoutheastCon, Huntsville, AL, USA, 11–14 April 2019; pp. 1–6. [Google Scholar] [CrossRef]
- He, D.; Yu, X.; Li, T.; Chan, S.; Guizani, M. Firmware Vulnerabilities Homology Detection Based on Clonal Selection Algorithm for IoT Devices. IEEE Internet Things J. 2022, 9, 16438–16445. [Google Scholar] [CrossRef]
- Kotenko, I.; Izrailov, K.; Buinevich, M. Static Analysis of Information Systems for IoT Cyber Security: A Survey of Machine Learning Approaches. Sensors 2022, 22, 1335. [Google Scholar] [CrossRef] [PubMed]
- Akhilesh, R.; Bills, O.; Chilamkurti, N.; Chowdhury, M.J.M. Automated Penetration Testing Framework for Smart-Home-Based IoT Devices. Future Internet 2022, 14, 276. [Google Scholar] [CrossRef]
- Zheng, Y.; Li, Y.; Zhang, C.; Zhu, H.; Liu, Y.; Sun, L. Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, Virtual, 18–22 July 2022; pp. 417–428. [Google Scholar] [CrossRef]
- Prehofer, C. Feature-oriented programming: A new way of object composition. Concurr. Comput. Pract. Exp. 2001, 13, 465–501. [Google Scholar] [CrossRef]
- Zave, P. Requirements for evolving systems: A telecommunications perspective. In Proceedings of the Fifth IEEE International Symposium on Requirements Engineering, Toronto, ON, Canada, 27–31 August 2001. [Google Scholar] [CrossRef]
- Apel, S.; Batory, D.; Kästner, C.; Saake, G. Feature-Oriented Software Product Lines; Springer: Berlin/Heidelberg, Germany, 2013. [Google Scholar] [CrossRef]
- Dantzig, G.B. Linear Programming. Oper. Res. 2002, 50, 42–47. [Google Scholar] [CrossRef]
- TechTarget. Top 12 Most Commonly Used IoT Protocols and Standards. 2022. Available online: https://www.techtarget.com/iotagenda/tip/Top-12-most-commonly-used-IoT-protocols-and-standards (accessed on 14 May 2023).
- SonarQube. Issues. 2023. Available online: https://docs.sonarqube.org/latest/user-guide/issues/ (accessed on 14 May 2023).
- AMQP group AMQP v1.0. 2011. Available online: https://www.amqp.org/sites/amqp.org/files/amqp.pdf (accessed on 14 May 2023).
- Heydon, R. Bluetooth Low Energy; Prentice Hall: Philadelphia, PA, USA, 2012. [Google Scholar]
- Bormann, C.; Castellani, A.P.; Shelby, Z. CoAP: An Application Protocol for Billions of Tiny Internet Nodes. IEEE Internet Comput. 2012, 16, 62–67. [Google Scholar] [CrossRef]
- Yang, J.; Sandstrom, K.; Nolte, T.; Behnam, M. Data Distribution Service for industrial automation. In Proceedings of the 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012), Krakow, Poland, 17–21 September 2012. [Google Scholar] [CrossRef]
- IPCisco. Small Office/Home Office (SOHO) Architecture. 2018. Available online: https://ipcisco.com/lesson/network-topology-architectures/ (accessed on 14 May 2023).
- Penz, R. Ready Your Home Network for IoT. 2016. Available online: https://robert.penz.name/1341/ready-your-home-network-for-iot/ (accessed on 14 May 2023).
- Ozkaya, M. Teaching Design-by-Contract for the Modeling and Implementation of Software Systems. In Proceedings of the 14th International Conference on Software Technologies, Prague, Czech Republic, 26–28 July 2019; SCITEPRESS—Science and Technology Publications: Setúbal, Portugal, 2019. [Google Scholar] [CrossRef]
- Silva, C.; Guérin, S.; Mazo, R.; Champeau, J. Contract-based design patterns. In Proceedings of the 15th International Conference on Availability, Reliability and Security, Virtual, 25–28 August 2020. [Google Scholar] [CrossRef]
- Wang, B.; Gong, N.Z. Attacking Graph-based Classification via Manipulating the Graph Structure. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019. [Google Scholar] [CrossRef]
- Ghazo, A.T.A.; Ibrahim, M.; Ren, H.; Kumar, R. A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks. IEEE Trans. Syst. Man Cybern. Syst. 2020, 50, 3488–3498. [Google Scholar] [CrossRef]
- O’Leary, M. Privilege Escalation in Linux. In Cyber Operations; Apress: Berlin, Germany, 2019; pp. 419–453. [Google Scholar] [CrossRef]
- Rangnau, T.; Buijtenen, R.v.; Fransen, F.; Turkmen, F. Continuous Security Testing: A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines. In Proceedings of the 2020 IEEE 24th International Enterprise Distributed Object Computing Conference (EDOC), Eindhoven, The Netherlands, 5–8 October 2020. [Google Scholar] [CrossRef]
- Zhao, G.; Huang, J. DeepSim: Deep learning code functional similarity. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Lake Buena Vista, FL, USA, 4–9 November 2018. [Google Scholar] [CrossRef]
Notation | Description |
---|---|
The ith security issue | |
N | The number of security issues detected |
The available security budget, expressed in available working hours | |
1 if is remotely exploitable, otherwise 0 | |
The impact of on confidentiality | |
The impact of on integrity | |
The impact of on availability | |
The overall impact of on the IoT platform, considering all security dimensions (confidentiality, integrity, and availability) | |
The time needed to fix , expressed in working hours | |
An output variable of the problem; is set to 1 if security budget is allocated to fixing , otherwise is set to 0. |
Security Budget | # Issues Mitigated | Consumed Budget | Impact Mitigated | % of Total Budget Available | % Issues Mitigated | % Impact Mitigated |
---|---|---|---|---|---|---|
50 | 8 | 47 | 58.95 | 5.17% | 17.02% | 21.57% |
125 | 15 | 122 | 98.25 | 12.93% | 12.62% | 35.94% |
250 | 23 | 247 | 144.13 | 25.85% | 48.94% | 52.73% |
500 | 33 | 497 | 210.52 | 51.71% | 70.21% | 77.02% |
Security Budget | # Issues Mitigated | Consumed Budget | Impact Mitigated | % of Total Budget Available | % Issues Mitigated | % Impact Mitigated |
---|---|---|---|---|---|---|
250 | 13 | 245 | 107.46 | 8.63% | 13% | 14.88% |
500 | 22 | 500 | 185.899 | 17.61% | 22% | 25.74% |
1000 | 38 | 980 | 308.05 | 34.51% | 38% | 42.65% |
1500 | 55 | 1490 | 437.78 | 52.46% | 55% | 60.61% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Sotiropoulos, P.; Mathas, C.-M.; Vassilakis, C.; Kolokotronis, N. A Software Vulnerability Management Framework for the Minimization of System Attack Surface and Risk. Electronics 2023, 12, 2278. https://doi.org/10.3390/electronics12102278
Sotiropoulos P, Mathas C-M, Vassilakis C, Kolokotronis N. A Software Vulnerability Management Framework for the Minimization of System Attack Surface and Risk. Electronics. 2023; 12(10):2278. https://doi.org/10.3390/electronics12102278
Chicago/Turabian StyleSotiropoulos, Panagiotis, Christos-Minas Mathas, Costas Vassilakis, and Nicholas Kolokotronis. 2023. "A Software Vulnerability Management Framework for the Minimization of System Attack Surface and Risk" Electronics 12, no. 10: 2278. https://doi.org/10.3390/electronics12102278