Skip to main content

Lund University Publications

LUND UNIVERSITY LIBRARIES

Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

Hell, Martin LU and Höst, Martin LU (2021) In Lecture Notes in Computer Science p.215-230
Abstract
The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company... (More)
The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and inter-company communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer. (Less)
Please use this url to cite or link to this publication:
author
and
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
published
subject
host publication
International Conference on Product-Focused Software Process Improvement : PROFES 2021 - PROFES 2021
series title
Lecture Notes in Computer Science
pages
215 - 230
external identifiers
  • scopus:85121602410
ISSN
1611-3349
ISBN
978-3-030-91452-3
DOI
10.1007/978-3-030-91452-3_15
project
Säkra mjukvaruuppdateringar för den smarta staden
HATCH: Handling Vulnerabilities in the Value Chain
language
English
LU publication?
yes
id
1b6e9dd4-963f-41b8-b2c1-e4279aacf3bd
date added to LUP
2021-09-29 13:17:58
date last changed
2022-05-05 19:14:43
@inproceedings{1b6e9dd4-963f-41b8-b2c1-e4279aacf3bd,
  abstract     = {{The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and inter-company communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer.}},
  author       = {{Hell, Martin and Höst, Martin}},
  booktitle    = {{International Conference on Product-Focused Software Process Improvement : PROFES 2021}},
  isbn         = {{978-3-030-91452-3}},
  issn         = {{1611-3349}},
  language     = {{eng}},
  pages        = {{215--230}},
  series       = {{Lecture Notes in Computer Science}},
  title        = {{Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study}},
  url          = {{https://lup.lub.lu.se/search/files/111925793/Profes_case_study.pdf}},
  doi          = {{10.1007/978-3-030-91452-3_15}},
  year         = {{2021}},
}