Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

The use of vulnerability data for risk assessment

Martinsson, Jenny LU (2021) EITM01 20202
Department of Electrical and Information Technology
Abstract
Finding vulnerabilities in open source software is an important part of software security. Software security is in turn a vital part in risk management and making risk assessments. The purpose of this thesis is to help organisations make decisions about vulnerabilities they have in their software programs by helping them make their own risk assessment. Our research uses the Common Vulnerability Scoring System (CVSS), the Common Weakness Enumeration (CWE) and ISO-controls. Our research focused on the environmental score part of the CVSS score, and ways to derive the security requirement values were suggested. In the next step the modified base metrics were looked into and it was shown how easily they can be changed depending on what system... (More)
Finding vulnerabilities in open source software is an important part of software security. Software security is in turn a vital part in risk management and making risk assessments. The purpose of this thesis is to help organisations make decisions about vulnerabilities they have in their software programs by helping them make their own risk assessment. Our research uses the Common Vulnerability Scoring System (CVSS), the Common Weakness Enumeration (CWE) and ISO-controls. Our research focused on the environmental score part of the CVSS score, and ways to derive the security requirement values were suggested. In the next step the modified base metrics were looked into and it was shown how easily they can be changed depending on what system they are used on. This was shown by comparing the CVSS score given by National Vulnerability Database (NVD) with the CVSS score given by the organisation Red Hat. The last part was to put the vulnerabilities in a larger risk perspective, where a connection was made between the vulnerabilities and the ISO-controls with the use of the CWEs connected to each vulnerability. Our conclusion shows that it is important to look at vulnerabilities from a larger risk perspective, and that our method can facilitate making continuous risk assessments in cybersecurity since a lot of the data can be reused in the future. (Less)
Please use this url to cite or link to this publication:
author
Martinsson, Jenny LU
supervisor
organization
course
EITM01 20202
year
type
H2 - Master's Degree (Two Years)
subject
report number
LU/LTH-EIT 2021-820
language
English
id
9052929
date added to LUP
2021-06-15 10:03:18
date last changed
2021-06-15 10:03:18
@misc{9052929,
  abstract     = {{Finding vulnerabilities in open source software is an important part of software security. Software security is in turn a vital part in risk management and making risk assessments. The purpose of this thesis is to help organisations make decisions about vulnerabilities they have in their software programs by helping them make their own risk assessment. Our research uses the Common Vulnerability Scoring System (CVSS), the Common Weakness Enumeration (CWE) and ISO-controls. Our research focused on the environmental score part of the CVSS score, and ways to derive the security requirement values were suggested. In the next step the modified base metrics were looked into and it was shown how easily they can be changed depending on what system they are used on. This was shown by comparing the CVSS score given by National Vulnerability Database (NVD) with the CVSS score given by the organisation Red Hat. The last part was to put the vulnerabilities in a larger risk perspective, where a connection was made between the vulnerabilities and the ISO-controls with the use of the CWEs connected to each vulnerability. Our conclusion shows that it is important to look at vulnerabilities from a larger risk perspective, and that our method can facilitate making continuous risk assessments in cybersecurity since a lot of the data can be reused in the future.}},
  author       = {{Martinsson, Jenny}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{The use of vulnerability data for risk assessment}},
  year         = {{2021}},
}