Causes, classification, and criticality of information system software vulnerabilities

Objective. The purpose of this paper is to describe the causes of software vulnerabilities, as well as their classification. Eliminating the ambiguity of the concept of software vulnerability criticality. Method. Analysis of existing approaches to the assessment, classification, and identification of software vulnerabilities. Modeling, building a UML model, and describing an algorithm. Result. A definition of the criticality of a software vulnerability is proposed. The causes of the software are partially described, and the existing classification of software vulnerabilities is expanded. An example of assessing the criticality of software vulnerabilities based on calculated metrics is given. An example of vulnerability metrics evaluation and prioritization is given. The UML model and vulnerability assessment algorithm are presented. Conclusion. The results of the conducted research expand the list of indicators and the subject area of the description of software vulnerabilities.

1. GOST R 58142-2018. Information Security. Methods and Tools for Information Protection. General Provisions. – Enacted on 2018-12-01. Moscow: Standartinform, 2018;24 p.(In Russ)

2. Doinikova, E.V. Evaluation of Computer Network Security Based on CVSS Metrics / E.V. Doinikova, A.A. Chechulin, I.V. Kotenko. Information and Control Systems. 2017;6(91):76–87. DOI: 10.15217/issn1684-8853.2017.6.76. – EDN ZXWUWH. (In Russ)

3. Drovnikova, I.G. Main Types of Vulnerabilities and the Relationship of Security Components in Justifying Indicators of Information Protection System Reliability Against Unauthorized Access in Automated Systems / I.G. Drovnikova, A.S. Etepnev, E.A. Rogozin. Instruments and Systems: Monitoring, Control, and Diagnostics. 2019; 3: 59–64. – EDN VWGOHY. (In Russ)

4. Shcheglov, K.A. Protection Against Application Vulnerability Attacks. Access Control Models/ K.A. Shcheglov, A.Yu. Shcheglov. Information Security Issues. 2013; 2(101):36–43. EDN QAVHRX. (In Russ)

5. Konovalenko, S.A. Detection of Information System Vulnerabilities Using a Combined Method for Analyzing Parametric Data Determined by Network Monitoring Systems / S.A. Konovalenko, I.D. Korolev. Almanac of Modern Science and Education. 2016;11(113): 60–66. – EDN XEEDXH. (In Russ)

6. Forum of Incident Response and Security Teams. Common Vulnerability Scoring System version 4.0: Specification Document [Electronic resource]. – URL: https://www.first.org/cvss/specification-document (accessed on 16.01.2025).

7. OWASP Foundation. OWASP Risk Rating Methodology [Electronic resource]. – URL: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology (accessed on 16.01.2025).

8. Sources Containing Information on Software Vulnerabilities / A.L. Serdechny, M. A. Tarelkin, A.A. Lomov, K.V. Simonov. Information and Security. 2019; 22(3): 411–422. – EDN ZOUMGN. (In Russ)

9. GOST R 56546-2015. Information Security. Information Protection. Security Indicators of Information Systems. – Enacted on 2016-01-01. – Moscow: Standartinform, 2016;12 p. (In Russ)

10. GOST R 53114-2008. Information Technology. Information Protection. Basic Terms and Definitions. – Enacted on 2009-01-01. – Moscow: Standartinform, 2009; 14 p. (In Russ)

11. Conceptual Foundations for Assessing the Security Level of Automated Systems Based on Their Vulnerabilities / A.O. Efimov, I.I. Livshits, T.V. Meshcheryakova, E.A. Rogozin. Information Technology Security. 2023;30(2):63–79. – DOI: 10.26583/bit.2023.2.04. – EDN LGPQZP. (In Russ)

12. Avetisyan, A.I., Belevantsev, A.A., Chuklyaev, I.I. Technologies for Static and Dynamic Analysis of Software Vulnerabilities. Cybersecurity Issues. 2014;3(4): 20–28. – EDN SSYPXV. (In Russ)

13. Russell, R. et al. Automated Vulnerability Detection in Source Code Using Deep Representation Learning. 17th IEEE International Conference on Machine Learning and Applications (ICMLA), Orlando, FL, USA. 2018; p. 757–762. DOI: http://dx.doi.org/10.1109/ICMLA.2018.00120.

14. Wang, T., Wei, T., Gu, G., and Zou, W. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. IEEE Symposium on Security and Privacy, Oakland, CA, USA. 2010; p. 497–512. DOI: http://dx.doi.org/10.1109/SP.2010.37.

15. Lin, G., Wen, S., Han, Q. -L., Zhang, J., and Xiang, Y. Software Vulnerability Detection Using Deep Neural Networks: A Survey in Proceedings of the IEEE. Oct. 2020;108(10):1825–1848. DOI: http://dx.doi.org/10.1109/JPROC.2020.2993293.

16. Kubarev, A.V. Approach to Formalizing Information System Vulnerabilities Based on Their Classification Features / A.V. Kubarev. Cybersecurity Issues. 2013; 2(2): 29–33. – EDN SZEDHH. (In Russ)

17. Lankin, O.V. Systemic-Cybernetic Approach to Forming Methodological Foundations for Intelligent Protection of Information from Unauthorized Access / O.V. Lankin, V.I. Sumin, E.V. Voronova. Bulletin of Voronezh State Technical University. 2011; 7( 8):174–176. – EDN NYIJQT. (In Russ)

18. Livshits, I.I. A Method for Evaluating the Security of Cloud IT Components Based on Existing Standards / I.I. Livshits. SPIIRAS Proceedings. 2020;19(2):383–411. DOI: 10.15622/sp.2020.19.2.6. – EDN DPCIDQ. (In Russ)

19. Methodology for Assessing the Criticality Level of Vulnerabilities in Software and Hardware-Software Tools: Approved by FSTEC of Russia on October 28, 2022: Methodological Document of FSTEC of Russia from October 28, 2022. URL: https://fstec.ru/dokumenty/vse-dokumenty/spetsialnye-normativnye-dokumenty/metodicheskij-dokument-ot-28-oktyabrya-2022-g-2 (accessed on 04.10.2024). (In Russ)

20. Methodologies for Assessing the Reliability of Information Protection Systems Against Unauthorized Access in Automated Systems / O.I. Bokova, I.G. Drovnikova, A.S. Etepnev [et al.]. SPIIRAS Proceedings. 2019;18(6):1301–1332. – DOI: 10.15622/sp.2019.18.6.1301-1332. – EDN YBHXOB. (In Russ)