In this digital era, our privacy is under constant threat as our personal data and traceable online/offline activities are frequently collected, processed and transferred by many software applications. Privacy attacks are often formed by exploiting vulnerabilities found in those software applications. The Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) systems are currently the main sources that software engineers rely on for understanding and preventing publicly disclosed software vulnerabilities. However, our study on all 922 weaknesses in the CWE and 156,537 vulnerabilities registered in the CVE to date has found a very small coverage of privacy-related vulnerabilities in both systems, only 4.45\% in CWE and 0.1\% in CVE. These also cover only a small number of areas of privacy threats that have been raised in existing privacy software engineering research, privacy regulations and frameworks, and relevant reputable organisations. The actionable insights generated from our study led to the introduction of 11 new common privacy weaknesses to supplement the CWE system, making it become a source for both security and privacy vulnerabilities.
翻译:在这个数字时代,我们的隐私不断受到威胁,因为许多软件应用程序经常收集、处理和传输我们的个人数据和可追踪的在线/脱线活动。隐私攻击往往是通过利用这些软件应用程序中发现的脆弱性而形成的。共同弱点数字(CWE)和共同脆弱性和暴露(CVE)系统目前是软件工程师了解和防止公开披露的软件脆弱性所依赖的主要来源。然而,我们关于CWE中所有922个弱点和CWE中迄今登记在CVE中的156 537个弱点的研究发现,这两个系统中与隐私有关的弱点的覆盖面很小,在CWE中只有4.45 ⁇ 和在CVE中只有0.1 ⁇ 。这些系统也只涵盖在现有的隐私软件工程研究、隐私条例和框架以及相关的有声的组织中出现的少数隐私威胁领域。我们的研究所产生的可操作的洞察发现11个新的共同隐私弱点,以补充CWE系统,使其成为安全和隐私脆弱性的来源。