Tampere University of Technology

TUTCRIS Research Portal

A Case Study on Software Vulnerability Coordination

Research output: Contribution to journalArticleScientificpeer-review

Standard

A Case Study on Software Vulnerability Coordination. / Ruohonen, Jukka; Rauti, Sampsa; Hyrynsalmi, Sami; Leppänen, Ville.

In: Information and Software Technology, Vol. 103, 11.2018, p. 239-257.

Research output: Contribution to journalArticleScientificpeer-review

Harvard

Ruohonen, J, Rauti, S, Hyrynsalmi, S & Leppänen, V 2018, 'A Case Study on Software Vulnerability Coordination', Information and Software Technology, vol. 103, pp. 239-257. https://doi.org/10.1016/j.infsof.2018.06.005

APA

Ruohonen, J., Rauti, S., Hyrynsalmi, S., & Leppänen, V. (2018). A Case Study on Software Vulnerability Coordination. Information and Software Technology, 103, 239-257. https://doi.org/10.1016/j.infsof.2018.06.005

Vancouver

Ruohonen J, Rauti S, Hyrynsalmi S, Leppänen V. A Case Study on Software Vulnerability Coordination. Information and Software Technology. 2018 Nov;103:239-257. https://doi.org/10.1016/j.infsof.2018.06.005

Author

Ruohonen, Jukka ; Rauti, Sampsa ; Hyrynsalmi, Sami ; Leppänen, Ville. / A Case Study on Software Vulnerability Coordination. In: Information and Software Technology. 2018 ; Vol. 103. pp. 239-257.

Bibtex - Download

@article{b14abdeef6b94ca9ae514292ba323e79,
title = "A Case Study on Software Vulnerability Coordination",
abstract = "Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list.Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated.Method: Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling.Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics.Conclusion: Software vulnerability and CVE coordination exhibit all typical traits of software engineering coordination in general. The coordination perspective elaborated and the case studied open new avenues for further empirical inquiries as well as practical improvements for the contemporary CVE coordination.",
author = "Jukka Ruohonen and Sampsa Rauti and Sami Hyrynsalmi and Ville Lepp{\"a}nen",
year = "2018",
month = "11",
doi = "10.1016/j.infsof.2018.06.005",
language = "English",
volume = "103",
pages = "239--257",
journal = "Information and Software Technology",
issn = "0950-5849",
publisher = "Elsevier",

}

RIS (suitable for import to EndNote) - Download

TY - JOUR

T1 - A Case Study on Software Vulnerability Coordination

AU - Ruohonen, Jukka

AU - Rauti, Sampsa

AU - Hyrynsalmi, Sami

AU - Leppänen, Ville

PY - 2018/11

Y1 - 2018/11

N2 - Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list.Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated.Method: Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling.Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics.Conclusion: Software vulnerability and CVE coordination exhibit all typical traits of software engineering coordination in general. The coordination perspective elaborated and the case studied open new avenues for further empirical inquiries as well as practical improvements for the contemporary CVE coordination.

AB - Context: Coordination is a fundamental tenet of software engineering. Coordination is required also for identifying discovered and disclosed software vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by recent practical challenges, this paper examines the coordination of CVEs for open source projects through a public mailing list.Objective: The paper observes the historical time delays between the assignment of CVEs on a mailing list and the later appearance of these in the National Vulnerability Database (NVD). Drawing from research on software engineering coordination, software vulnerabilities, and bug tracking, the delays are modeled through three dimensions: social networks and communication practices, tracking infrastructures, and the technical characteristics of the CVEs coordinated.Method: Given a period between 2008 and 2016, a sample of over five thousand CVEs is used to model the delays with nearly fifty explanatory metrics. Regression analysis is used for the modeling.Results: The results show that the CVE coordination delays are affected by different abstractions for noise and prerequisite constraints. These abstractions convey effects from the social network and infrastructure dimensions. Particularly strong effect sizes are observed for annual and monthly control metrics, a control metric for weekends, the degrees of the nodes in the CVE coordination networks, and the number of references given in NVD for the CVEs archived. Smaller but visible effects are present for metrics measuring the entropy of the emails exchanged, traces to bug tracking systems, and other related aspects. The empirical signals are weaker for the technical characteristics.Conclusion: Software vulnerability and CVE coordination exhibit all typical traits of software engineering coordination in general. The coordination perspective elaborated and the case studied open new avenues for further empirical inquiries as well as practical improvements for the contemporary CVE coordination.

U2 - 10.1016/j.infsof.2018.06.005

DO - 10.1016/j.infsof.2018.06.005

M3 - Article

VL - 103

SP - 239

EP - 257

JO - Information and Software Technology

JF - Information and Software Technology

SN - 0950-5849

ER -