STATE REGULATION OF NAMING AND SOFTWARE IDENTIFICATION IN VULNERABILITY MANAGEMENT PROCESSES
Cite as: V.G. Zhukov, S.V. Seligeev. State regulation of naming and software identification in vulnerability management processes // Izvestiya SFedU. Engineering Sciences – 2024. – N. 6. - P. 218-229. doi: 10.18522/2311-3103-2024-6-218-229
Abstract
IT asset management is the foundation for building an effective vulnerability management process.
Without an understanding of the IT assets under control, it is technically impossible to start building a
vulnerability management process. With an existing IT asset management process in place, one of the
tasks that is essential to vulnerability management is to uniquely name software as an asset. This unambiguous
naming allows the software and its vulnerabilities to be identified without actively scanning IT
infrastructure nodes, but only by interacting with the IT asset management system. Technically, this approach
can be called “passive vulnerability detection,” but it is extremely labor-intensive to implement
using existing naming systems. In order to make the possibility of passive detection more realistic, the
authors propose to create a common foundation by forming a conceptual scheme and then creating a system
of standardized naming and identification of software, the regulation of which will be centralized at
the state level. As part of the review of existing software naming systems, attention is paid to CPE problems
both on the part of on-site specialists, namely obtaining CPE identifiers and translating software
information into a CPE identifier, and on the part of a vulnerability data aggregator, namely obtaining
vulnerability information via a CPE identifier. The problems of CPE application, as well as the problems
of interaction with vulnerability data aggregators from unfriendly countries, discovered in the course of
the research form the prerequisites for the formation of a national system for state regulation of software
naming and identification, which will eliminate the problems of existing software naming systems. In conclusion,
advantages of the national system of software naming and identification are given in case of its
creation and use in real conditions by all participants of the vulnerability management process.
References
uyazvimostyami v organe (organizatsii)» [FSTEC Methodological Document of May 17, 2023 “Guidelines
for Organizing the Vulnerability Management Process in a Body (Organization)”]. Available at: URL:
https://fstec.ru/files/1096/---17--2023-/2011/---17--2023-.pdf (accessed 10 May 2024).
2. Computer Security Incident Handling Guide. Available at: https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-61r2.pdf (accessed 10 May 2024).
3. Wang Z. et al. Design and implementation of security vulnerability sharing platform based on web
crawler, Proceedings of the 11th International Conference on Computer Engineering and Networks.
Springer Singapore, 2022, pp. 678-687.
4. Bonomi S., Cuoci M., Lenti S. A Version-Based Algorithm for Quality Enhancement of Automatically
Generated Vulnerability Inventories, 2024 IEEE International Conference on Cyber Security and Resilience
(CSR). IEEE, 2024, pp. 76-81
5. Luo J. et al. CVECenter: Industry Practice of Automated Vulnerability Management for Linux Distribution
Community, Companion Proceedings of the 32nd ACM International Conference on the Foundations
of Software Engineering, 2024, pp. 329-339.
6. Ghazo A.T.A.L., Kumar R. ANDVI: Automated Network Device and Vulnerability Identification in
SCADA/ICS by Passive Monitoring, IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2024.
7. Leverett É., Rhode M., Wedgbury A. Vulnerability Forecasting: Theory and practice, Digital Threats:
Research and Practice, 2022, Vol. 3, No. 4, pp. 1-27
8. National Vulnerability Database. Available at: https://www.nist.gov/itl/nvd (accessed 10 May 2024).
9. Ncube Z.M. Emerging Threats in Cybersecurity: Risk and Vulnerability Management, Journal of Innovative
Technologies, 2024, Vol. 7, No. 1.
10. Reestr programmnogo obespecheniya [Software registry]. Available at: https://reestr.digital.gov.ru/
reestr/ (accessed 10 May 2024).
11. Bank dannykh ugroz bezopasnosti informatsii FSTEK [FSTEC information security threat database].
Available at: https://bdu.fstec.ru/threat (accessed 10 May 2024).
12. Seligeev S.V., Zhukov V.G. O passivnom obnaruzhenii uyazvimostey programmnogo obespecheniya
[On passive detection of software vulnerabilities], Aktual'nye problemy aviatsii i kosmonavtiki: Sb.
materialov X Mezhdunarodnoy nauchno-prakticheskoy konferentsii, posvyashchennoy 100-letiyu
akademika M.F. Reshetneva i Dnyu kosmonavtiki. V 3-kh t., Krasnoyarsk, 8–12 aprelya 2023 goda [Actual
problems of aviation and cosmonautics: Collection of materials of the X International scientific and
practical conference dedicated to the 100th anniversary of academician M.F. Reshetnev and Cosmonautics
Day. In 3 volumes, Krasnoyarsk, April 8–12, 2023]. Krasnoyarsk: Sibirskiy gosudarstvennyy
universitet nauki i tekhnologiy imeni akademika M.F. Reshetneva, 2024, pp. 277-279.
13. Ecik H. Comparison of active vulnerability scanning vs. passive vulnerability detection, 2021 International
Conference on Information Security and Cryptology (ISCTURKEY). IEEE, 2021, pp. 87-92.
14. OVALdb. Available at: https://www.altx-soft.ru/ovaldb/ (accessed 10 May 2024).
15. McClanahan K., Li Q. Towards Automatically Matching Security Advisories to CPEs: String Similaritybased
Vendor Matching, Proceedings of the IEEE International Conference on Computing, Networking
and Communications (ICNC)-Workshop on Computing, Networking and Communications, 2024.
16. Hu W., Thing V.L.L. CPE-Identifier: Automated CPE identification and CVE summaries annotation
with Deep Learning and NLP, arXiv preprint arXiv:2405.13568, 2024.
17. Wåreus E., Hell M. Automated CPE labeling of CVE summaries with machine learning, Detection of
Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020,
Lisbon, Portugal, June 24–26, 2020, Proceedings 17. Springer International Publishing, 2020, pp. 3-22.
18. Mikhaylov V.A. Rossiyskaya sistema dlya polnogo tsikla upravleniya uyazvimostyami [Russian system
for a full cycle of vulnerability management], Pervaya milya [Pervaya mile], 2024, No. 3 (119),
pp. 70-71. DOI: 10.22184/2070-8963.2024.119.3.70.71. EDN CIQOTG.
19. Dorofeev A.V., Markov A.S. Primenenie otechestvennykh tekhnologiy dlya monitoringa
informatsionnoy bezopasnosti v usloviyakh importozameshcheniya [Application of domestic technologies
for monitoring information security in the context of import substitution], Zashchita informatsii.
Insayd [Information protection], 2023, No. 3 (111), pp. 20-26. EDN FDPTDW.
20. Marun'ko A.S., Popov I.O. Sovremennaya problematika upravleniya IT-aktivami v Rossiyskoy
Federatsii [Modern problems of IT asset management in the Russian Federation], Sovremennaya
nauka: aktual'nye problemy teorii i praktiki. Seriya: Estestvennye i tekhnicheskie nauki [Modern science:
current problems of theory and practice. Series: Natural and technical sciences], 2023, No. 4,
pp. 91-95. DOI: 10.37882/2223-2966.2023.04.24. EDN AMAULO.
21. Zhukov V.G., Seligeev S.V. Avtomatizatsiya otsenki uyazvimostey programmnykh, programmnoapparatnykh
sredstv v tselevoy informatsionnoy sisteme [Automation of vulnerability assessment of
software, software and hardware in the target information system], Prikaspiyskiy zhurnal: upravlenie i
vysokie tekhnologii [Caspian Journal: Management and High Technologies], 2023, No. 4 (64), pp. 16-25.
DOI: 10.54398/20741707_2023_4_16. EDN SRMLBD.
22. Metodicheskiy dokument FSTEK «Metodika otsenki urovnya kritichnosti uyazvimostey
programmnykh, programmno-apparatnykh sredstv» [FSTEC Methodological Document "Methodology
for Assessing the Criticality Level of Vulnerabilities in Software, Software and Har dware"].
Available at: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/
metodicheskij-dokument-ot-28-oktyabrya-2022-g-2 (accessed 10 May 2024).
23. Seligeev S.V., Zhukov V.G. O probleme upravleniya uyazvimostyami v programmnom obespechenii
sobstvennoy razrabotki [On the Problem of Vulnerability Management in In-House Software],
Reshetnevskie chteniya: Mater. XXVII Mezhdunarodnoy nauchno-prakticheskoy konferentsii,
posvyashchennoy pamyati general'nogo konstruktora raketno-kosmicheskikh sistem akademika M.F.
Reshetneva , Krasnoyarsk, 08–10 noyabrya 2023 goda [Reshetnev Readings: Proceedings of the
XXVII International Scientific and Practical Conference Dedicated to the Memory of the General Designer
of Rocket and Space Systems, Academician M.F. Reshetnev, Krasnoyarsk, November 8-10,
2023]. Krasnoyarsk: Federal'noe gosudarstvennoe byudzhetnoe obrazovatel'noe uchrezhdenie
vysshego obrazovaniya "Sibirskiy gosudarstvennyy universitet nauki i tekhnologiy imeni akademika
M.F. Reshetneva", 2023, pp. 401-403. EDN SGTSJB.
