research-article

Mining social networks of open source CVE coordination

Authors:

Jukka Ruohonen,

Sami Hyrynsalmi,

Ville LeppänenAuthors Info & Claims

IWSM Mensura '17: Proceedings of the 27th International Workshop on Software Measurement and 12th International Conference on Software Process and Product Measurement

Pages 176 - 188

https://doi.org/10.1145/3143434.3143458

Published: 25 October 2017 Publication History

Abstract

Coordination is one central tenet of software engineering practices and processes. In terms of software vulnerabilities, coordination is particularly evident in the processes used for obtaining Common Vulnerabilities and Exposures (CVEs) identifiers for discovered and disclosed vulnerabilities. As the central CVE tracking infrastructure maintained by the non-profit MITRE Corporation has recently been criticized for time delays in CVE assignment, almost an ideal case is available for studying software and security engineering coordination practices with practical relevance. Given this pragmatic motivation, this paper examines open source CVE coordination that occurs on the public oss-security mailing list. By combining social network analysis with a data-driven, exploratory research approach, the paper asks six data mining questions with practical relevance. By contemplating about answers to the questions asked by means of descriptive statistics, the paper consequently contributes not only to the contemporary industry debates, but also to the tradition of empirical vulnerability research. The perspective and the case are both novel in this tradition, thus opening new avenues for further empirical inquiries and practical improvements for the contemporary CVE coordination.

References

[1]

L. Allodi and F. Massacci. Comparing Vulnerability Severity and Exploits Using Case-Control Studies. ACM Transactions on Information and System Security, 17(1):1:1--1:20, 2014.

Digital Library

[2]

M. Aram and G. Neumann. Multilayered Analysis of Co-Development of Business Information Systems. Journal of Internet Services and Applications, 6(13), 2015.

[3]

W. A. Arbaugh, W. L. Fithen, and J. McHugh. Window of Vulnerability: A Case Study Analysis. Computer, 32(12):52--59, 2000.

[4]

N. Bettenburg and A. E. Hassan. Studying the Impact of Social Interactions on Software Quality. Empirical Software Engineering, 18(2):375--431, 2013.

Digital Library

[5]

C. Bird. Sociotechnical Coordination and Collaboration in Open Source Software. In Proceedings of the 2011 27th IEEE International Conference on Software Maintenance (ICSM 2011), pages 568--573, Williamsburg, 2011. IEEE.

Digital Library

[6]

D. Budgen, J. Bailey, M. Turner, B. Kitchenham, P. Breton, and S. Charters. Cross-Domain Investigation of Empirical Practices. IET Software, 3(5):410--421, 2008.

[7]

P. Christen. Data Matching: Concepts and Techniques for Record Linkage, Entity Resolution, and Duplicate Detection. Springer, Berlin, 2012.

[8]

G. Conaldi, A. Lomi, and M. Tonellato. Dynamic Models of Affiliation and the Network Structure of Problem Solving in Open Source Software Projects. Organizational Research Methods, 15(3):385--412, 2012.

[9]

K. Crowston and J. Howison. Hierarchy and Centralization in Free and Open Source Software Team Communications. Knowledge, Technology & Policy, 18(4):65--85, 2006.

[10]

K. Crowston, K. Wei, J. Howison, and A. Wiggins. Free/Libre Open-Source Software Development: What We Know and What We Do Not Know. ACM Computing Surveys, 44(2):7:1--7:35, 2012.

Digital Library

[11]

Y. Cui, J. Pei, G. Tang, W. Luk, D. Jiang, and M. Hua. Finding Email Correspondents in Online Social Networks. World Wide Web, 16(2):195--218, 2013.

Digital Library

[12]

M. Dehghani, M. Asadpour, and A. Shakery. An Evolutionary-Based Method for Reconstructing Conversation Threads in Email Corpora. In Proceedings of the IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2012), pages 1132--1137, Istanbul, 2012. IEEE.

Digital Library

[13]

M. Fang and M. Hafiz. Discovering Buffer Overflow Vulnerabilities in the Wild: An Empirical Study. In Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2014), pages 1--10, Torino, 2014. ACM.

Digital Library

[14]

V. Grover and K. Lyytinen. New State of Play in Information Systems Research: The Push to the Edges. MIS Quarterly, 39(2):271--296, 2015.

Digital Library

[15]

A. Guzzi, A. Bacchelli, M. Lanza, M. Pinzger, and A. van Deursen. Communication in Open Source Software Development Mailing List. In Proceedings of the 10th Working Conference on Mining Software Repositories (MSR 2013), pages 277--286, San Francisco, 2013. IEEE.

[16]

D. F. Hendry and H.-M. Krolzig. Automatic Model Selection: A New Instrument for Social Science. Electoral Studies, 23(3):525--544, 2004.

[17]

H. Holm and K. K. Afridi. An Expert-Based Investigation of the Common Vulnerability Scoring System. Computers & Security, 53:18--30, 2015.

Digital Library

[18]

H. Holm and M. Ekstedt. Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks. IEEE Transactions on Dependable and Secure Computing, 9(6):825--837, 2012.

Digital Library

[19]

J. Howison, A. Wiggins, and K. Crowston. Validity Issues in the Use of Social Network Analysis with Digital Trace Data. Journal of the Association for Information Systems, 12(12):767--797, 2011.

[20]

E. M. Jin, M. Girvan, and M. E. J. Newman. Structure of Growing Social Networks. Physical Review E, 64(4):046132-1-046132-8, 2001.

[21]

P. Johnson and M. Ekstedt. The Tarpit - A General Theory of Software Engineering. Information and Software Technology, 70:181--203, 2016.

Digital Library

[22]

P. Johnson, D. Gorton, R. Langerström, and M. Ekstedt. Time Between Vulnerability Disclosures: A Measure of Software Product Vulnerability. Computers & Security, 62:278--295, 2016.

[23]

G. Kuk. Strategic Interaction and Knowledge Sharing in the KDE Developer Mailing List. Management Science, 52(7):1031--1042, 2006.

Digital Library

[24]

V. I. Levenshtein. Binary Codes Capable of Correcting Deletions, Insertions, and Reversals. Soviet Physics-Doklady, 10(8):707--710, 1966.

[25]

S. A. Licorish and S. G. MacDonell. Understanding the Attitudes, Knowledge Sharing Behaviors and Task Performance of Core Developers: A Longitudinal Study. Information and Software Technology, 56(12):1578--1596, 2014.

[26]

P. Lubarski and M. Morzy. Measuring the Importance of Users in a Social Network Based on Email Communication Patterns. In Proceedings of the IEEE/ACM International Conference on Advances in Social Network Analysis and Mining (ASONAM 2012), pages 86--90, Istanbul, 2012. IEEE.

Digital Library

[27]

D. Marmaros and B. Sacerdote. How Do Friendships Form? The Quarterly Journal of Economics, 121(1):79--119, 2006.

[28]

S. A. Matei and R. J. Bruno. Pareto's 80/20 Law and Social Differentiation: A Social Entropy Perspective. Public Relations Review, 41(2):178--186, 2015.

[29]

P. Mell, K. Scarfone, and S. Romanosky. Common Vulnerability Scoring System. IEEE Security & Privacy, 4(6):85--89, 2006.

Digital Library

[30]

T. Menzies and T. Zimmermann. Software Analytics: So What? IEEE Software, 30(4):31--37, 2013.

Digital Library

[31]

MITRE. CVE-ID Syntax Change. Available online in September 2016: https://cve.mitre.org/cve/identifiers/syntaxchange.html, 2015.

[32]

MITRE. Frequently Asked Questions, Why Did CVE Retire the Term CVE "Candidates"? Available online in June 2015: https://cve.mitre.org/about/faqs.html#b8, 2015.

[33]

MITRE. Please welcome Kurt Seifried to the CVE Editorial Board. Appeared originally in cve-editorial-board-list. Available online in September 2016: https://cve.mitre.org/data/board/archives/2015-11/msg00002.html, 2015.

[34]

MITRE. CVE-2015-1547. Available online in September 2016: https://cve.mitre.org/cgi-bin/cverame.cgi?name=CVE-2015-1547, 2016.

[35]

MITRE. CVE Board (Current and Emeritus Members). Available online in September 2016: https://cve.mitre.org/community/board/, 2016.

[36]

M. E. J. Newman, S. Forrest, and J. Balthrop. Email Networks and the Spread of Computer Viruses. Physical Review E, 66(3):035101-1-035101-4, 2002.

[37]

V. H. Nguyen and F. Massacci. The (Un)Reliability of NVD Vulnerability Versions Data: An Empirical Experiment on Google Chrome Vulnerabilities. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS 2013), pages 493--498. ACM, 2013.

Digital Library

[38]

NIST. NVD Data Feed and Product Integration. National Institute of Standards and Technology (NIST), Annually Archived CVE Vulnerability Feeds: Security Related Software Flaws, NVD/CVE XML Feed with CVSS and CPE Mappings (Version 2.0). Available online in September 2016: https://nvd.nist.gov/download.cfm, 2016.

[39]

Openwall. welcome. Available online in September 2016: http://www.openwall.com/lists/oss-security/2008/02/16/1, 2008.

[40]

Openwall. Re: Multiple vulnerabilities in LibTIFFand associated. Available online in September 2016: http://www.openwall.com/lists/oss-security/2015/02/07/5, 2015.

[41]

Openwall. Archive of oss-security Mailing List. Available online in September 2016: http://www.openwall.com/lists/oss-security/, 2016.

[42]

Openwall. Fwd: CVE request - samsumg android phone SVE-2016-6244 Possible Privilege Escalation in telecom. Available online in September 2016: http://www.openwall.com/lists/oss-security/2016/08/05/1, 2016.

[43]

Openwall. WebKitGTK+ Security Advisory WSA-2016-0005. Available online in September 2016: http://www.openwall.com/lists/oss-security/2016/08/25/1, 2016.

[44]

D. Pauli. MITRE's Bug Pilot Program Fix 'Indefinitely' Shelved Amid Criticism: Lack of Consultation Fingered for CVE Allocation Disaster. The Register, Available online in September 2016: http://www.theregister.co.uk/2016/03/21/mitres_vulnerability_pilot_program_fix_shelved_amid_heavy_criticism/, 2016.

[45]

J. Ruohonen, J. Holvitie, S. Hyrynsalmi, and V. Leppänen. Exploring the Clustering of Software Vulnerability Disclosure Notifications Across Software Vendors. In Proceedings of the 13th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA 2016), pages 1--8, Agadir, 2016. IEEE.

[46]

J. Ruohonen, S. Hyrynsalmi, and V. Leppänen. Trading Exploits Online: A Preliminary Case Study. In Proceedings of the IEEE Tenth International Conference on Research Challenges in Information Science (RCIS 2016), pages 1--12, Grenoble, 2016. IEEE.

[47]

J. Ruohonen, S. Hyrynsalmi, and V. Leppänen. Modeling the Delivery of Security Advisories and CVEs. Computer Science and Information Systems, 14(2):537--555, 2017.

[48]

M. R. Schmid, F. Iqbal, and B. C. M. Fung. E-Mail Authorship Attribution Using Customized Associative Classification. Digital Investigation, 14(S1):S116--S126, 2014.

[49]

K. Seifried. CVE-HOWTO. Available online in September 2016: https://github.com/RedHatProductSecurity/CVE-HOWTO, 2016.

[50]

N. Sobotta. Why Forwarded Email Threads are Hard to Read: The Email Format as an Antecedent of Email Overload. Communications of the Association for Information Systems, 39:16--31, 2016.

[51]

C. K. Streb. Exploratory Case Study. In A. J. Mills, G. Durepos, and E. Wiebe, editors, Encyclopedia of Case Study Research, pages 373--374. Sage, Thousand Oaks, 2010.

[52]

G. Tang, J. Pei, and W. Luk. Email Mining: Tasks, Common Techniques, and Tools. Knowledge and Information Systems, 41(1):1--31, 2014.

Digital Library

[53]

S. L. Toral, M. R. Martínez-Torres, and F. Barrero. Analysis of Virtual Communities Supporting OSS Projects Using Social Network Analysis. Information and Software Technology, 52(3):296--303, 2010.

Digital Library

[54]

S. Tumele. Case Study Research. International Journal of Sales, Retailing & Marketing, 4(9):68--78, 2015.

[55]

Q. Wang. Link Prediction and Threads in Email Networks. In Proceedings of the International Conference on Data Science and Advanced Analytics (DSAA 2014), pages 470--476, Shanghai, 2014. IEEE.

[56]

Y. Wu and D. W. Oard. Indexing Emails and Email Threads for Retrieval. In Proceedings of the 28th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR 2005), pages 665--666, Salvador, 2005. ACM.

Digital Library

[57]

K. Yamashita, S. McIntosh, Y. Kamei, A. E. Hassan, and N. Ubayashi. Revisiting the Applicability of the Pareto Principle to Core Development Teams in Open Source Software Projects. In Proceedings of the 14th International Workshop on Principles of Software Evolution (IWPSE 2015), pages 46--55, Bergamo, 2015. ACM.

Digital Library

[58]

E. Zangerle, W. Gassler, and G. Specht. On the Impact of Text Similarity Functions on Hashtag Recommendations in Microblogging Environments. Social Network Analysis and Mining, 3(4):889--898, 2013.

Cited By

Schreiber RZylka M(2020)Social Network Analysis in Software Development Projects: A Systematic Literature ReviewInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402050014X30:03(321-362)Online publication date: 28-Apr-2020
https://doi.org/10.1142/S021819402050014X
Sönmez F(2020)Classifying Common Vulnerabilities and Exposures Database Using Text Mining and Graph Theoretical AnalysisMachine Intelligence and Big Data Analytics for Cybersecurity Applications10.1007/978-3-030-57024-8_14(313-338)Online publication date: 15-Dec-2020
https://doi.org/10.1007/978-3-030-57024-8_14
Ruohonen JLeppänen V(2018)Toward Validation of Textual Information Retrieval Techniques for Software WeaknessesDatabase and Expert Systems Applications10.1007/978-3-319-99133-7_22(265-277)Online publication date: 7-Aug-2018
https://doi.org/10.1007/978-3-319-99133-7_22

Index Terms

Mining social networks of open source CVE coordination
1. General and reference
  1. Cross-computing tools and techniques
    1. Measurement

Recommendations

Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
Automated Generation of Attack Graphs Using NVD
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Today's computer networks are prone to sophisticated multi-step, multi-host attacks. Common approaches of identifying vulnerabilities and analyzing the security of such networks with naive methods such as counting the number of vulnerabilities, or ...
A Study on Software Vulnerabilities and Weaknesses of Embedded Systems in Power Networks
CPSR-SG'17: Proceedings of the 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids

In this paper we conduct an empirical study with the purpose of identifying common software weaknesses of embedded devices used as part of industrial control systems in power grids. The data is gathered about the devices and software of 6 companies, ABB,...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

IWSM Mensura '17: Proceedings of the 27th International Workshop on Software Measurement and 12th International Conference on Software Process and Product Measurement

October 2017

273 pages

ISBN:9781450348539

DOI:10.1145/3143434

General Chairs:
Miroslaw Staron
Chalmers | University of Gothenburg
,
Wilhelm Meding
Ericsson
,
Program Chairs:
Kai Petersen
Blekinge Institute of Technology
,
Cigdem Gencel
Free University of Bozen-Bolzano

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SWC: Software Center, University of Gothenburg, Sweden

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Tekes

Conference

IWSM/Mensura '17

Sponsor:

SWC

IWSM/Mensura '17: 27th International Workshop on Software Measurement and 12th International Conference on Software Process and Product Measurement

October 25 - 27, 2017

Gothenburg, Sweden

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
193
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Schreiber RZylka M(2020)Social Network Analysis in Software Development Projects: A Systematic Literature ReviewInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819402050014X30:03(321-362)Online publication date: 28-Apr-2020
https://doi.org/10.1142/S021819402050014X
Sönmez F(2020)Classifying Common Vulnerabilities and Exposures Database Using Text Mining and Graph Theoretical AnalysisMachine Intelligence and Big Data Analytics for Cybersecurity Applications10.1007/978-3-030-57024-8_14(313-338)Online publication date: 15-Dec-2020
https://doi.org/10.1007/978-3-030-57024-8_14
Ruohonen JLeppänen V(2018)Toward Validation of Textual Information Retrieval Techniques for Software WeaknessesDatabase and Expert Systems Applications10.1007/978-3-319-99133-7_22(265-277)Online publication date: 7-Aug-2018
https://doi.org/10.1007/978-3-319-99133-7_22

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten