Description
Threat intelligence provides software developers with information about potential vulnerabilities in their software projects and their dependencies. However, the relevance of this information is not always certain, and the question arises of how well detected vulnerabilities are actually exploitable.
The objective of this Master’s thesis is to understand the security implications of vulnerabilities identified by threat intelligence. To this end, the student first collects threat intelligence to identify a set of vulnerabilities across dependencies in OSS projects written in Java, and then analyzes their exploitability. Part of the task is to define a reliable analysis procedure that ensures quantitative insights can be extracted from the analyzed statistics. In the thesis, the student documents the analysis procedure in general and by example, justifies it, discusses corner cases, and applies the procedure to a set vulnerabilities extracted from threat intelligence. They resulting dataset is analyzed for noteworthy patterns and submitted with the thesis. Implications for threat intelligence are derived, and recommendations are made for prioritising action on threat intelligence sources.