configuration vulnerabilities https://masonsquare.sitemasonry.gmu.edu/ en New scoring framework addresses software vulnerabilities https://masonsquare.sitemasonry.gmu.edu/news/2022-10/new-scoring-framework-addresses-software-vulnerabilities <span>New scoring framework addresses software vulnerabilities</span> <span><span lang="" about="/user/331" typeof="schema:Person" property="schema:name" datatype="">Tama Moni</span></span> <span>Tue, 10/25/2022 - 13:50</span> <div class="layout layout--gmu layout--twocol-section layout--twocol-section--30-70"> <div class="layout__region region-first"> <div data-block-plugin-id="field_block:node:news_release:field_associated_people" class="block block-layout-builder block-field-blocknodenews-releasefield-associated-people"> <h2>In This Story</h2> <div class="field field--name-field-associated-people field--type-entity-reference field--label-visually_hidden"> <div class="field__label visually-hidden">People Mentioned in This Story</div> <div class='field__items'> <div class="field__item"><a href="/profiles/malbanes" hreflang="und">Massimiliano Albanese</a></div> <div class="field__item"><a href="/profiles/ldurant2" hreflang="und">Liza Wilson Durant</a></div> </div> </div> </div> </div> <div class="layout__region region-second"> <div data-block-plugin-id="field_block:node:news_release:body" class="block block-layout-builder block-field-blocknodenews-releasebody"> <div class="field field--name-body field--type-text-with-summary field--label-visually_hidden"> <div class="field__label visually-hidden">Body</div> <div class="field__item"><p><span><span>The George Mason University <a href="https://cec.gmu.edu">College of Engineering and Computing</a> has launched the Mason Vulnerability Scoring Framework (MVSF), which publishes a continuously updated ranking of the most-common global software weaknesses. The work, in conjunction with <a href="https://www.parc.com/" target="_blank">PARC</a> (Palo Alto Research Center), relies on the <a href="//nist.gov">National Institute of Standards and Technology’s</a> (NIST)—Common Vulnerabilities and Exposures data and other sources of vulnerability information to create an up-to-date database that can be used to identify and mitigate risks. This line of work has resulted in multiple pending patent applications and a Best Paper Award at the 19th International Conference on Security and Cryptography.</span></span></p> <figure role="group" class="align-right"><div> <div class="field field--name-image field--type-image field--label-hidden field__item"> <img src="/sites/g/files/yyqcgq501/files/2022-10/Vulnerability-scoring-NS-thumbnail_600x600.jpg" width="600" height="600" alt="Graphic with blue computer code and yellow locks on a black background" loading="lazy" typeof="foaf:Image" /></div> </div> <figcaption>Cybersecurity code with 1s and 0s<br /> Photo provided by iStock images</figcaption></figure><p><span><span>Liza Wilson Durant, Mason’s associate provost for strategic initiatives and community engagement, says, "This preemptive tool to guide strategic defense against cybersecurity vulnerabilities will not only safeguard systems but mitigate potential business revenue losses for those who leverage the tool. “ </span></span></p> <p><span><span>An existing list called the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses, compiled by The <a href="https://mitre.org">MITRE Corporation</a>, has long been the industry standard. MVSF improves on the CWE Top 25 by having data input monthly, compared to MITRE’s yearly reporting. This improvement allows researchers, programmers, developers, and others to have an accurate, almost real-time picture of where software vulnerabilities are most likely to be exploited. Additionally, where MITRE ranks the top 25 vulnerabilities, MVSF ranks the top 150. </span></span></p> <p><span><span>Associate Professor, <a href="https://ist.gmu.edu">Department of Information Sciences and Technology</a> and Associate Director, <a href="https://csis.gmu.edu/">Center for Secure Information Systems</a>, Max Albanese oversees the project for Mason. He says, “If there is a trend where a certain type of vulnerability is becoming more severe, you don’t have to wait for a full year to discover that; you’ll see that class of vulnerability getting worse – or better – month-to-month.”  MVSF can even correct course based on new information, going back and re-ranking weaknesses’ order in a previous month based on new information that was not known at the time of original ranking. </span></span></p> <p><span><span>Albanese further notes that NIST assigns a severity score to vulnerabilities based on a combination of an exploitability score – how difficult the vulnerability is to exploit – and an impact score – how bad the consequences would be if the vulnerability were exploited. MVSF uses those components as variables but allows users to add their own, additional variables not considered by NIST. MVSF also allows users to decide how to weigh the variables that rank the vulnerabilities. This customizability, still under development, is an important feature of the new system. </span></span></p> <p><span><span>Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.</span></span></p> <p><span><span>The association with PARC here was important to making the project a success. “Working with GMU was a productive collaboration,” says Marc Mosko, principal scientist, PARC. “Configuration vulnerabilities are growing, now comprising over 15 percent of all Common Vulnerability and Exposure (CVE) notices. We appreciate that across many different industry sectors, there are often gaps in context between management, software security teams, and those who are responsible for ensuring systems are performing optimally on an ongoing basis. Our work addresses these evolving configuration security needs, and we look forward to exploring opportunities to apply this work in the future.”</span></span></p> <p>Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) program <a href="https://www.darpa.mil/program/configuration-security" target="_blank">ConSec</a> in a project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.</p> <p><span><span>Albanese, who is also an external consultant for MITRE, has initiated a collaboration with MITRE’s group responsible for CWE to leverage synergies between the two organizations.</span></span></p> <p><span><span>In addition to the excitement of the innovation, it is equally impactful to see undergraduate students involved in its design and implementation and innovating alongside their mentor faculty," says Wilson Durant.</span></span></p> <p><span><span>The <a href="https://www.cci-novanode.org/">Virginia Commonwealth Cyber Initiative (CCI)</a> will provide continued support for two Mason undergraduate students to assist with the project, which Albanese says is key for the continued maintenance of the system. </span></span></p> </div> </div> </div> <div data-block-plugin-id="field_block:node:news_release:field_content_topics" class="block block-layout-builder block-field-blocknodenews-releasefield-content-topics"> <h2>Topics</h2> <div class="field field--name-field-content-topics field--type-entity-reference field--label-visually_hidden"> <div class="field__label visually-hidden">Topics</div> <div class='field__items'> <div class="field__item"><a href="/taxonomy/term/846" hreflang="en">cryptography</a></div> <div class="field__item"><a href="/taxonomy/term/856" hreflang="en">configuration vulnerabilities</a></div> <div class="field__item"><a href="/taxonomy/term/841" hreflang="en">Internet of Things</a></div> <div class="field__item"><a href="/taxonomy/term/836" hreflang="en">Information Sciences and Technology Department</a></div> <div class="field__item"><a href="/taxonomy/term/571" hreflang="en">Research</a></div> <div class="field__item"><a href="/taxonomy/term/1651" hreflang="en">CEC faculty research</a></div> </div> </div> </div> </div> </div> Tue, 25 Oct 2022 17:50:54 +0000 Tama Moni 676 at https://masonsquare.sitemasonry.gmu.edu