Security Risk Indicator for Open Source Software to Measure Software Development Status

Hiroki Kuzuno; Tomohiko Yano; Kazuki Omo; Jeroen van der Ham; Toshihiro Yamauchi

doi:10.1007/978-981-99-8024-6_12

Security Risk Indicator for Open Source Software to Measure Software Development Status

Hiroki Kuzuno^*, Tomohiko Yano, Kazuki Omo, Jeroen van der Ham, Toshihiro Yamauchi

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

1 Citation (Scopus)

68 Downloads (Pure)

Abstract

Recently, open source software (OSS) has become more mainstream. Therefore, the security of OSS is an important topic in information systems that use OSS. When vulnerabilities are discovered in OSS, it is difficult to fix or address for each information system developer or administrator. Existing security studies propose classifying vulnerabilities, estimating vulnerability risks, and analyzing exploitable vulnerabilities. However, it is still difficult to understand the threat of exploited vulnerabilities, and the development status of OSS used in information system operations. Determining whether vulnerabilities and the OSS development status are security risks is challenging. In this study, we propose a security risk indicator for OSS to address these problems. The proposed method calculates security risk indicators by combining vulnerability information with the development status of OSS. The proposed security risk indicator of OSS is a criterion for security measures during the operation of information systems. In the evaluation, we verified whether the proposed security risk indicator can be used to identify the threats of multiple OSS and the calculation cost of the security risk indicators.

Original language	English
Title of host publication	Information Security Applications
Subtitle of host publication	24th International Conference, WISA 2023, Jeju Island, South Korea, August 23–25, 2023, Revised Selected Papers
Editors	Howon Kim, Jonghee Youn
Publisher	Springer
Pages	143-156
Number of pages	14
ISBN (Electronic)	978-981-99-8024-6
ISBN (Print)	978-981-99-8023-9
DOIs	https://doi.org/10.1007/978-981-99-8024-6_12
Publication status	Published - 2024
Event	24th International Conference on Information Security Applications, WISA 2023 - Jeju Island, Korea, Republic of Duration: 23 Aug 2023 → 25 Aug 2023 Conference number: 24

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14402
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	24th International Conference on Information Security Applications, WISA 2023
Abbreviated title	WISA 2023
Country/Territory	Korea, Republic of
City	Jeju Island
Period	23/08/23 → 25/08/23

Keywords

2024 OA procedure

Access to Document

10.1007/978-981-99-8024-6_12

ArticleFinal published version, 582 KBLicence: Taverne

Cite this

Kuzuno, H., Yano, T., Omo, K., van der Ham, J., & Yamauchi, T. (2024). Security Risk Indicator for Open Source Software to Measure Software Development Status. In H. Kim, & J. Youn (Eds.), Information Security Applications: 24th International Conference, WISA 2023, Jeju Island, South Korea, August 23–25, 2023, Revised Selected Papers (pp. 143-156). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14402). Springer. https://doi.org/10.1007/978-981-99-8024-6_12

Kuzuno, Hiroki ; Yano, Tomohiko ; Omo, Kazuki et al. / Security Risk Indicator for Open Source Software to Measure Software Development Status. Information Security Applications: 24th International Conference, WISA 2023, Jeju Island, South Korea, August 23–25, 2023, Revised Selected Papers. editor / Howon Kim ; Jonghee Youn. Springer, 2024. pp. 143-156 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{02b2f8204751424c803af72723c1b09d,

title = "Security Risk Indicator for Open Source Software to Measure Software Development Status",

abstract = "Recently, open source software (OSS) has become more mainstream. Therefore, the security of OSS is an important topic in information systems that use OSS. When vulnerabilities are discovered in OSS, it is difficult to fix or address for each information system developer or administrator. Existing security studies propose classifying vulnerabilities, estimating vulnerability risks, and analyzing exploitable vulnerabilities. However, it is still difficult to understand the threat of exploited vulnerabilities, and the development status of OSS used in information system operations. Determining whether vulnerabilities and the OSS development status are security risks is challenging. In this study, we propose a security risk indicator for OSS to address these problems. The proposed method calculates security risk indicators by combining vulnerability information with the development status of OSS. The proposed security risk indicator of OSS is a criterion for security measures during the operation of information systems. In the evaluation, we verified whether the proposed security risk indicator can be used to identify the threats of multiple OSS and the calculation cost of the security risk indicators.",

keywords = "2024 OA procedure",

author = "Hiroki Kuzuno and Tomohiko Yano and Kazuki Omo and {van der Ham}, Jeroen and Toshihiro Yamauchi",

note = "Publisher Copyright: {\textcopyright} 2024, The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.; 24th International Conference on Information Security Applications, WISA 2023, WISA 2023 ; Conference date: 23-08-2023 Through 25-08-2023",

year = "2024",

doi = "10.1007/978-981-99-8024-6_12",

language = "English",

isbn = "978-981-99-8023-9",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "143--156",

editor = "Howon Kim and Jonghee Youn",

booktitle = "Information Security Applications",

address = "Germany",

}

Kuzuno, H, Yano, T, Omo, K, van der Ham, J & Yamauchi, T 2024, Security Risk Indicator for Open Source Software to Measure Software Development Status. in H Kim & J Youn (eds), Information Security Applications: 24th International Conference, WISA 2023, Jeju Island, South Korea, August 23–25, 2023, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14402, Springer, pp. 143-156, 24th International Conference on Information Security Applications, WISA 2023, Jeju Island, Korea, Republic of, 23/08/23. https://doi.org/10.1007/978-981-99-8024-6_12

Security Risk Indicator for Open Source Software to Measure Software Development Status. / Kuzuno, Hiroki; Yano, Tomohiko; Omo, Kazuki et al.
Information Security Applications: 24th International Conference, WISA 2023, Jeju Island, South Korea, August 23–25, 2023, Revised Selected Papers. ed. / Howon Kim; Jonghee Youn. Springer, 2024. p. 143-156 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14402).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Security Risk Indicator for Open Source Software to Measure Software Development Status

AU - Kuzuno, Hiroki

AU - Yano, Tomohiko

AU - Omo, Kazuki

AU - van der Ham, Jeroen

AU - Yamauchi, Toshihiro

N1 - Conference code: 24

PY - 2024

Y1 - 2024

N2 - Recently, open source software (OSS) has become more mainstream. Therefore, the security of OSS is an important topic in information systems that use OSS. When vulnerabilities are discovered in OSS, it is difficult to fix or address for each information system developer or administrator. Existing security studies propose classifying vulnerabilities, estimating vulnerability risks, and analyzing exploitable vulnerabilities. However, it is still difficult to understand the threat of exploited vulnerabilities, and the development status of OSS used in information system operations. Determining whether vulnerabilities and the OSS development status are security risks is challenging. In this study, we propose a security risk indicator for OSS to address these problems. The proposed method calculates security risk indicators by combining vulnerability information with the development status of OSS. The proposed security risk indicator of OSS is a criterion for security measures during the operation of information systems. In the evaluation, we verified whether the proposed security risk indicator can be used to identify the threats of multiple OSS and the calculation cost of the security risk indicators.

AB - Recently, open source software (OSS) has become more mainstream. Therefore, the security of OSS is an important topic in information systems that use OSS. When vulnerabilities are discovered in OSS, it is difficult to fix or address for each information system developer or administrator. Existing security studies propose classifying vulnerabilities, estimating vulnerability risks, and analyzing exploitable vulnerabilities. However, it is still difficult to understand the threat of exploited vulnerabilities, and the development status of OSS used in information system operations. Determining whether vulnerabilities and the OSS development status are security risks is challenging. In this study, we propose a security risk indicator for OSS to address these problems. The proposed method calculates security risk indicators by combining vulnerability information with the development status of OSS. The proposed security risk indicator of OSS is a criterion for security measures during the operation of information systems. In the evaluation, we verified whether the proposed security risk indicator can be used to identify the threats of multiple OSS and the calculation cost of the security risk indicators.

KW - 2024 OA procedure

UR - http://www.scopus.com/inward/record.url?scp=85182591194&partnerID=8YFLogxK

U2 - 10.1007/978-981-99-8024-6_12

DO - 10.1007/978-981-99-8024-6_12

M3 - Conference contribution

AN - SCOPUS:85182591194

SN - 978-981-99-8023-9

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 143

EP - 156

BT - Information Security Applications

A2 - Kim, Howon

A2 - Youn, Jonghee

PB - Springer

T2 - 24th International Conference on Information Security Applications, WISA 2023

Y2 - 23 August 2023 through 25 August 2023

ER -

Kuzuno H, Yano T, Omo K, van der Ham J, Yamauchi T. Security Risk Indicator for Open Source Software to Measure Software Development Status. In Kim H, Youn J, editors, Information Security Applications: 24th International Conference, WISA 2023, Jeju Island, South Korea, August 23–25, 2023, Revised Selected Papers. Springer. 2024. p. 143-156. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). Epub 2024 Jan 11. doi: 10.1007/978-981-99-8024-6_12