STATE REGULATION OF NAMING AND SOFTWARE IDENTIFICATION IN VULNERABILITY MANAGEMENT PROCESSES
Abstract
IT asset management is the foundation for building an effective vulnerability management process. Without an understanding of the IT assets under control, it is technically impossible to start building a vulnerability management process. With an existing IT asset management process in place, one of the tasks that is essential to vulnerability management is to uniquely name software as an asset. This unambiguous naming allows the software and its vulnerabilities to be identified without actively scanning IT infrastructure nodes, but only by interacting with the IT asset management system. Technically, this approach can be called “passive vulnerability detection,” but it is extremely labor-intensive to implement using existing naming systems. In order to make the possibility of passive detection more realistic, the authors propose to create a common foundation by forming a conceptual scheme and then creating a system of standardized naming and identification of software, the regulation of which will be centralized at the state level. As part of the review of existing software naming systems, attention is paid to CPE problems both on the part of on-site specialists, namely obtaining CPE identifiers and translating software information into a CPE identifier, and on the part of a vulnerability data aggregator, namely obtaining vulnerability information via a CPE identifier. The problems of CPE application, as well as the problems of interaction with vulnerability data aggregators from unfriendly countries, discovered in the course of the research form the prerequisites for the formation of a national system for state regulation of software naming and identification, which will eliminate the problems of existing software naming systems. In conclusion, advantages of the national system of software naming and identification are given in case of its creation and use in real conditions by all participants of the vulnerability management process
