Continuous and comprehensive vulnerability management is a difficult task for administrators. The difficulties are not because of a lack of tools, but because they are designed without service-oriented architecture viewpoint and there is insufficient trustworthy machine-readable input data. This paper presents a service-oriented architecture for vulnerability assessment systems based on the open security standards and related contents. If the functions are provided as a service, various kinds of security applications can be interoperated and integrated in loosely-coupled way. We also studied the effectiveness of the available public data for automated vulnerability assessment. Despite the large amount of efforts that goes toward describing machine-readable assessment test in conformity to the OVAL standard, the evaluation result proves inadequate for comprehensive vulnerability assessment. Only about 12% of all the known vulnerabilities are covered by existing OVAL tests, while some popular client applications in the Top 30 with most unique vulnerabilities are covered more than 90%.
[1]
Liqun Chen,et al.
An historical examination of open source releases and their vulnerabilities
,
2012,
CCS.
[2]
Jean-Philippe Martin-Flatin,et al.
Web Services for Integrated Management: A Case Study
,
2004,
ECOWS.
[3]
Steve Hanna,et al.
NEA: Public Health for the Network
,
2010,
IEEE Internet Computing.
[4]
Thomas Peltier,et al.
Managing a Network Vulnerability Assessment
,
2003
.
[5]
Alexander Kott,et al.
The Promises and Challenges of Continuous Monitoring and Risk Scoring
,
2013,
IEEE Security & Privacy.
[6]
Roland H. C. Yap,et al.
A Machine-Oriented Integrated Vulnerability Database for Automated Vulnerability Detection and Processing
,
2004
.
[7]
Marco Vieira,et al.
Benchmarking Vulnerability Detection Tools for Web Services
,
2010,
2010 IEEE International Conference on Web Services.