Can We Trust the Default Vulnerabilities Severity?

Matteo Esposito, Sergio Moreschini, Valentina Lenarduzzi, David Hästbacka, Davide Falessi

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

6 Downloads (Pure)

Abstract

As software systems become increasingly complex and interconnected, the risk of security debt has risen significantly, increasing cyber-attacks and data breaches. Vulnerability prioritization is a critical activity in software engineering as it helps identify and address security vulnerabilities in software systems promptly and effectively. With the increasing complexity of software systems and the growing number of potential threats, it is essential to have a systematic approach to vulnerability prioritization to ensure that the most critical vulnerabilities are addressed first. The present study aims to investigate the agreement between the default and the National Vulnerability Database (NVD) severity levels. We analyzed 1626 vulnerabilities encompassing 12 unique types of vulnerabilities associated with 125 Common Platform Enumeration identifiers belonging to 105 Apache projects. Our results show a scarce correlation between the default and NVD severity levels. Thus, the default severity of vulnerabilities is not trustworthy. Moreover, we discovered that, surprisingly, the same type of vulnerability has several NVD severity; therefore, no default prioritization can be accurate based only on the type of vulnerability. Future studies are needed to accurately estimate the priority of vulnerabilities by considering several aspects of vulnerabilities rather than only the type.
Original languageEnglish
Title of host publication2023 IEEE 23rd International Working Conference on Source Code Analysis and Manipulation (SCAM)
Pages265-270
Number of pages6
ISBN (Electronic)979-8-3503-0506-7
DOIs
Publication statusPublished - 2023
Publication typeA4 Article in conference proceedings
EventInternational Working Conference on Source Code Analysis and Manipulation - Bogotá, Colombia
Duration: 2 Oct 20233 Oct 2023

Publication series

Name
ISSN (Electronic)2470-6892

Conference

ConferenceInternational Working Conference on Source Code Analysis and Manipulation
Country/TerritoryColombia
CityBogotá
Period2/10/233/10/23

Publication forum classification

  • Publication forum level 1

Fingerprint

Dive into the research topics of 'Can We Trust the Default Vulnerabilities Severity?'. Together they form a unique fingerprint.

Cite this