Automated Reasoning for Vulnerability Management by Design

TL;DR

This paper introduces a formally grounded automated reasoning mechanism integrated into a security design tool to systematically identify and manage vulnerabilities in system designs, enhancing proactive security control integration.

Contribution

It presents a novel automated reasoning approach for vulnerability management that supports systematic analysis and mitigation planning within security design tools.

Findings

Successfully integrated into an open-source security design tool

Demonstrated effectiveness through a real-world illustrative example

Enables explicit specification of vulnerabilities and mitigation controls

Abstract

For securing systems, it is essential to manage their vulnerability posture and design appropriate security controls. Vulnerability management allows to proactively address vulnerabilities by incorporating pertinent security controls into systems designs. Current vulnerability management approaches do not support systematic reasoning about the vulnerability postures of systems designs. To effectively manage vulnerabilities and design security controls, we propose a formally grounded automated reasoning mechanism. We integrate the mechanism into an open-source security design tool and demonstrate its application through an illustrative example driven by real-world challenges. The automated reasoning mechanism allows system designers to identify vulnerabilities that are applicable to a specific system design, explicitly specify vulnerability mitigation options, declare selected controls, and thus systematically manage vulnerability postures.