• Stars
    star
    127
  • Rank 281,137 (Top 6 %)
  • Language
    Python
  • License
    Other
  • Created over 4 years ago
  • Updated 9 days ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Stakeholder-Specific Vulnerability Categorization

Link Checker

SSVC

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.


SSVC is mostly conceptual tools for vulnerability management. These conceptual tools (how to make decisions, what should go into a decision, how to document and communicate decisions clearly, etc.) are described here.

Note: This repository contains the content for the main SSVC documentation hosted at

  • If you are just looking for SSVC documentation, you should go there.
  • If you are interested in contributing to the SSVC documentation, you are in the right place.

What's here

Here's a quick overview of the main directories and files in this repository.

/docs/*

Raw markdown and graphics files used to build the SSVC documentation website. See project_docs/README.md for more info.

/docs/ssvc-calc

Directory with SSVC calculator using D3 graph. See ssvc-calc/README.md for more info.

A demo version of ssvc-calc can be found at https://certcc.github.io/SSVC/ssvc-calc/

/pdfs/*

Static versions of previously issued PDF reports are stored in this directory.

/data/*

The data folder contains detailed data files that define suggested prioritization results based on each combination of information on a vulnerability work item.

There are both .csv and .json files in this directory.

/data/csvs/*

The .csv files are the primary data files used by the ssvc.py module.

Also included in data are the lookup tables as csv files which ssvc_v2.py reads in. These files define one row per possible path through the trees as described in the documentation. Customizing the "outcome" column in this csv is the primary recommended way that stakeholders might adapt SSVC to their environment.

/data/json/*

These json files are generated examples from the python ssvc module.

/data/schema/* and /data/schema_examples/*

These files are used by the ssvc-calc module.

/src/*

This directory holds helper scripts that can make managing or using SSVC easier.

/src/ssvc/*

The ssvc python module provides tools to work with decision points, decision point groups, and outcomes. These modules are used to generate documentation for various Decision Points

Documentation for the ssvc module can be found at https://certcc.github.io/SSVC/reference/code/

src/ssvc_v2.py

A basic Python module for interacting with the SSVC trees. ssvc_v2.py has two methods: applier_tree() and developer_tree()

The two methods just loop through their respective lookup tables until they hit a match, then return the outcome. Maybe not the best implementation, but it worked well enough for what was needed at the time.

Local development

Install prerequisites:

pip install -r requirements.txt

Start a local server:

mkdocs serve

Navigate to http://localhost:8001/ to see the site.

(Hint: You can use the --dev-addr argument with mkdocs to change the port, e.g. mkdocs serve --dev-addr localhost:8000)

Contributing

Citing SSVC

To reference SSVC in an academic publication, please refer to the version presented at the 2020 Workshop on Economics of Information Security (WEIS):

@inproceedings{spring2020ssvc,  
  title={Prioritizing vulnerability response: {A} stakeholder-specific vulnerability categorization},  
  author={Jonathan M Spring and Eric Hatleback and Allen D. Householder and Art Manion and Deana Shick},  
  address={Brussels, Belgium},  
  year={2020},  
  month = dec,  
  booktitle = {Workshop on the Economics of Information Security}  
}

References

  1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization." White Paper, Software Engineering Institute, Carnegie Mellon University (2019). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379
  2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Towards Improving CVSS." White Paper, Software Engineering Institute, Carnegie Mellon University (2018). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368

More Repositories

1

CVE-2021-44228_scanner

Scanners for Jar files that may be vulnerable to CVE-2021-44228
PowerShell
343
star
2

keyfinder

A tool for finding and analyzing private (and public) key files, including support for Android APK files.
Python
266
star
3

certfuzz

This project contains the source code for the CERT Basic Fuzzing Framework (BFF) and the CERT Failure Observation Engine (FOE).
Python
262
star
4

trommel

TROMMEL: Sift Through Embedded Device Files to Identify Potential Vulnerable Indicators
Python
204
star
5

tapioca

CERT Tapioca for MITM network analysis
Python
180
star
6

PoC-Exploits

Select proof-of-concept exploits for software vulnerabilities to aid in identifying and testing vulnerable systems.
Python
180
star
7

labyrinth

Come inside, and have a nice cup of tea.
96
star
8

Vulnerability-Data-Archive

With the hope that someone finds the data useful, we used to periodically publish an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database. See also https://github.com/CERTCC/Vulnerability-Data-Archive-Tools
87
star
9

privesc

Process Monitor filter for finding privilege escalation vulnerabilities on Windows
77
star
10

SBOM

Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
JavaScript
57
star
11

VINCE

VINCE is the Vulnerability Information and Coordination Environment developed and used by the CERT Coordination Center to improve coordinated vulnerability disclosure. VINCE is a Python-based web platform.
Python
53
star
12

dranzer

Dranzer is a tool that enables users to examine effective techniques for fuzz testing ActiveX controls
C++
32
star
13

Vulnerability-Data-Archive-Tools

Tools for working with the CERT Vulnerability Data Archive. See also https://github.com/CERTCC/Vulnerability-Data-Archive
Python
19
star
14

cveClient

A client and library to cve-services 2.x to provide CVE management for CNA and CERTs
JavaScript
17
star
15

Vultron

Vultron is a protocol for Coordinated Vulnerability Disclosure
Python
10
star
16

vulnerability_disclosure_policy_templates

A collection of templates for generating vulnerability disclosure policies. (NOTE: As of 2024, these templates are now part of the CERT Guide to Coordinated Vulnerability Disclosure, see link in README.)
9
star
17

CERT-Guide-to-CVD

Content for the CERT Guide to Coordinated Vulnerability Disclosure
Shell
7
star
18

UEFI-Analysis-Resources

Documentation, examples, and other resources regarding analyzing EDK2 based UEFI firmware
PHP
6
star
19

Linux-Kernel-Analysis-Environment

Container-based environment for debugging and analyzing Linux kernels using QEMU and GDB
Shell
5
star
20

git_vul_driller

Drills through git commit histories to find vulnerability IDs in change logs.
Jupyter Notebook
3
star
21

ip6tables-configuration

Automatically exported from code.google.com/p/ip6tables-configuration
Shell
3
star
22

metasploit_json_parser

Parser for the JSON database included in metasploit-framework that emits a CSV file of modules keyed by vulnerability IDs and references. NOTE: Superseded by git_vul_driller linked below.
Python
2
star
23

Syzbot-Repro-Runner

Automatically build and run a custom kernel and crasher from a syzbot report
Python
1
star