Software Vulnerabilities (SVs) are increasing in complexity and scale, posing great security risks to many software systems. Given the limited resources in practice, SV assessment and prioritization help practitioners devise optimal SV mitigation plans based on various SV characteristics. The surge in SV data sources and data-driven techniques such as Machine Learning and Deep Learning have taken SV assessment and prioritization to the next level. Our survey provides a taxonomy of the past research efforts and highlights the best practices for data-driven SV assessment and prioritization. We also discuss the current limitations and propose potential solutions to address such issues.
翻译:由于实际资源有限,SV评估和确定优先次序有助于从业者根据各种SV特征制定最佳的SV减缓计划。SV数据来源和数据驱动技术(如机器学习和深层学习)的激增,使得SV评估和优先排序上升到了下一个层次。我们的调查提供了过去研究工作的分类,突出了数据驱动SV评估和确定优先次序的最佳做法。我们还讨论了目前的局限性,并提出了解决这些问题的潜在解决办法。