STATE REGULATION OF NAMING AND SOFTWARE IDENTIFICATION IN VULNERABILITY MANAGEMENT PROCESSES

Authors

  • V.G. Zhukov
  • S.V. Seligeev

Abstract

IT asset management is the foundation for building an effective vulnerability management process.
Without an understanding of the IT assets under control, it is technically impossible to start building a
vulnerability management process. With an existing IT asset management process in place, one of the
tasks that is essential to vulnerability management is to uniquely name software as an asset. This unambiguous
naming allows the software and its vulnerabilities to be identified without actively scanning IT
infrastructure nodes, but only by interacting with the IT asset management system. Technically, this approach
can be called “passive vulnerability detection,” but it is extremely labor-intensive to implement
using existing naming systems. In order to make the possibility of passive detection more realistic, the
authors propose to create a common foundation by forming a conceptual scheme and then creating a system
of standardized naming and identification of software, the regulation of which will be centralized at
the state level. As part of the review of existing software naming systems, attention is paid to CPE problems
both on the part of on-site specialists, namely obtaining CPE identifiers and translating software
information into a CPE identifier, and on the part of a vulnerability data aggregator, namely obtaining
vulnerability information via a CPE identifier. The problems of CPE application, as well as the problems
of interaction with vulnerability data aggregators from unfriendly countries, discovered in the course of
the research form the prerequisites for the formation of a national system for state regulation of software
naming and identification, which will eliminate the problems of existing software naming systems. In conclusion,
advantages of the national system of software naming and identification are given in case of its
creation and use in real conditions by all participants of the vulnerability management process

References

Downloads

Published

2025-01-14

Issue

No. 6 (2024)

Section

SECTION III. COMPUTING AND INFORMATION MANAGEMENT SYSTEMS