Improving Software Vulnerability Management with EPSS
Kivioja, Sini (2024)
2024
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2024-10-02
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202409058557
https://urn.fi/URN:NBN:fi:tuni-202409058557
Tiivistelmä
Information security has become increasingly important in recent years, as the quantity of cybercrimes has increased. In 2023, there were over 29 thousand vulnerabilities discovered. The fast development of artificial intelligence has already made its way to cybercrimes, showing even greater importance of a good vulnerability management. Artificial Intelligence (AI) is a tool that has the possibility of making exploitations more innovative and complex. It is becoming progressively difficult for organizations to know what vulnerabilities should be prioritized and mitigated to obviate the losses and problems resulting from vulnerability exploitations.
This thesis aims to share information about and analyze a newish method for vulnerability exploitation prediction, Exploit Prediction Scoring System (EPSS). EPSS is an open-source method that gives daily estimates of the likelihood of vulnerability exploitation in the next 30 days. The estimates are supposed to help with vulnerability prioritization along with other vulnerability scoring methods.
The thesis introduces the EPSS method and investigates the use cases of it. In addition, further confirmation backing up the functionality of EPSS in vulnerability prioritization is studied. EPSS is also used to analyze the vulnerability status of an open-source component, Apache Flink.
The results of the study indicate that EPSS is a promising method to use in software vulnerability management alongside other methods and tools. EPSS version 3 has improved greatly from the first versions. This study demonstrated that EPSS helps organizations to use less resources with better results for vulnerability management. There are some concerns about not having access to the underlying data or model and relying heavily on the NVD, but overall EPSS has shown to be a promising method for prioritizing what vulnerabilities to remediate first. However, it does not really help with zero-day vulnerabilities as the EPSS value needs certain information before it can be formed. There were no studies found about the newest version of EPSS.
The thesis also gives some recommendations for the future development of EPSS. This thesis scratches the surface on how EPSS could be improved, and aknowledges that the rapid growth of AI should be taken into account when developing EPSS. Improving also the data quality of EPSS model and making sure that the model is training itself properly should be considered. Overall, software vulnerability exploitations should be studied more as cybercrimes are increasingly popular.
This thesis aims to share information about and analyze a newish method for vulnerability exploitation prediction, Exploit Prediction Scoring System (EPSS). EPSS is an open-source method that gives daily estimates of the likelihood of vulnerability exploitation in the next 30 days. The estimates are supposed to help with vulnerability prioritization along with other vulnerability scoring methods.
The thesis introduces the EPSS method and investigates the use cases of it. In addition, further confirmation backing up the functionality of EPSS in vulnerability prioritization is studied. EPSS is also used to analyze the vulnerability status of an open-source component, Apache Flink.
The results of the study indicate that EPSS is a promising method to use in software vulnerability management alongside other methods and tools. EPSS version 3 has improved greatly from the first versions. This study demonstrated that EPSS helps organizations to use less resources with better results for vulnerability management. There are some concerns about not having access to the underlying data or model and relying heavily on the NVD, but overall EPSS has shown to be a promising method for prioritizing what vulnerabilities to remediate first. However, it does not really help with zero-day vulnerabilities as the EPSS value needs certain information before it can be formed. There were no studies found about the newest version of EPSS.
The thesis also gives some recommendations for the future development of EPSS. This thesis scratches the surface on how EPSS could be improved, and aknowledges that the rapid growth of AI should be taken into account when developing EPSS. Improving also the data quality of EPSS model and making sure that the model is training itself properly should be considered. Overall, software vulnerability exploitations should be studied more as cybercrimes are increasingly popular.