Projects per year
Abstract
The number of published software vulnerabilities is increasing every year. How do organizations stay in control of their attack surface despite their limited staff resources? Prior work has analyzed the overall software vulnerability ecosystem as well as patching processes within organizations, but not how these two are connected.We investigate this missing link through semi-structured interviews with 22 organizations in critical infrastructure and government services. We analyze where in these organizations the responsibility is allocated to collect and triage information about software vulnerabilities, and find that none of our respondents is acquiring such information comprehensively, not even in a reduced and aggregated form like the National Vulnerability Database (NVD). This means that information on known vulnerabilities will be missed, even in critical infrastructure organizations. We observe that organizations apply implicit and explicit coping mechanisms to reduce their intake of vulnerability information, and identify three trade-offs in these strategies: independence, pro-activeness and formalization.Although our respondents' behavior is in conflict with the widely accepted security advice to collect comprehensive vulnerability information about active systems, no respondents recall having experienced a security incident that was associated with missing information on a known software vulnerability. This suggests that, given scarce resources, reducing the intake of vulnerability information by up to 95% can be considered a rational strategy. Our findings raise questions about the allocation of responsibility and accountability for finding vulnerable systems, as well as suggest changing expectations around collecting vulnerability information.
Original language | English |
---|---|
Title of host publication | Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023 |
Publisher | IEEE |
Pages | 1980-1996 |
Number of pages | 17 |
ISBN (Electronic) | 978-1-6654-9336-9 |
DOIs | |
Publication status | Published - 2023 |
Event | 2023 IEEE Symposium on Security and Privacy (SP) - San Francisco, United States Duration: 22 May 2023 → 24 May 2023 |
Publication series
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Volume | 2023-May |
ISSN (Print) | 1081-6011 |
Conference
Conference | 2023 IEEE Symposium on Security and Privacy (SP) |
---|---|
Abbreviated title | SP 2023 |
Country/Territory | United States |
City | San Francisco |
Period | 22/05/23 → 24/05/23 |
Bibliographical note
Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-careOtherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.
Fingerprint
Dive into the research topics of 'No One Drinks From the Firehose: How Organizations Filter and Prioritize Vulnerability Information'. Together they form a unique fingerprint.Projects
- 1 Active
-
Cybersecurity (TPM)
van Eeten, M. J. G., Hernandez Ganan, C., Gürses, F. S., van Wegberg, R. S., Parkin, S. E., Zhauniarovich, Y., van Engelenburg, S. H., Kadenko, N. I., Labunets, K., Akyazi, U., Bouwman, X. B., Jansen, B. A., Kaur, M., Al Alsadi, A., Lone, Q. B., Turcios Rodriguez, E. R., Vermeer, M., van Harten, V. T. C., Vetrivel, S., Oomens, E. (. C. )., Kustosch, L. F., Bisogni, F., Ciere, M., Fiebig, T., Korczynski, M. T., Moreira Moura, G. C., Noroozian, A., Pieters, W., Tajalizadehkhoob, S., Dacier, B. H. A., San José Sanchez, J., Çetin, F. O. & Zannettou, S.
1/01/10 → …
Project: Research