PreprintArticleVersion 1Preserved in Portico This version is not peer-reviewed
Generative Pre-Trained Transformers, Natural Language Processing and Artificial Intelligence and Machine Learning (AI/ML) in Software Vulnerability Management: automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX)
Version 1
: Received: 19 July 2023 / Approved: 19 July 2023 / Online: 19 July 2023 (07:16:14 CEST)
How to cite:
Radanliev, P.; De Roure, D.; Santos, O. Generative Pre-Trained Transformers, Natural Language Processing and Artificial Intelligence and Machine Learning (AI/ML) in Software Vulnerability Management: automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX). Preprints2023, 2023071303. https://doi.org/10.20944/preprints202307.1303.v1
Radanliev, P.; De Roure, D.; Santos, O. Generative Pre-Trained Transformers, Natural Language Processing and Artificial Intelligence and Machine Learning (AI/ML) in Software Vulnerability Management: automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX). Preprints 2023, 2023071303. https://doi.org/10.20944/preprints202307.1303.v1
Radanliev, P.; De Roure, D.; Santos, O. Generative Pre-Trained Transformers, Natural Language Processing and Artificial Intelligence and Machine Learning (AI/ML) in Software Vulnerability Management: automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX). Preprints2023, 2023071303. https://doi.org/10.20944/preprints202307.1303.v1
APA Style
Radanliev, P., De Roure, D., & Santos, O. (2023). Generative Pre-Trained Transformers, Natural Language Processing and Artificial Intelligence and Machine Learning (AI/ML) in Software Vulnerability Management: automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX). Preprints. https://doi.org/10.20944/preprints202307.1303.v1
Chicago/Turabian Style
Radanliev, P., David De Roure and Omar Santos. 2023 "Generative Pre-Trained Transformers, Natural Language Processing and Artificial Intelligence and Machine Learning (AI/ML) in Software Vulnerability Management: automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX)" Preprints. https://doi.org/10.20944/preprints202307.1303.v1
Abstract
One of the most burning topics in cybersecurity in 2023 will undoubtedly be the compliance with the Software Bill of Materials. Since the US president issued the Executive Order 14028 on Improving the Nation’s Cybersecurity, software developers have prepared and bills are transmitted to vendors, customers, and users, but they don’t know what to do with the reports they are getting. In addition, since software developers have identified the values of the Software Bill of Materials, they have been using the reports extensively. This article presents an estimate of 270 million requests per month, just from form one popular tool to one vulnerability index. This number is expected to double every year and a half. This simple estimate explains the urgency for automating the process. We propose solutions based on artificial intelligence and machine learning, and we base our tools on the existing FAIR principles (Findable, Accessible, Interoperable, and Reusable). This methodology is supported with a case study research and Grounded theory, for categorising data into axis, and for verifying the values of the tools with experts in the field. We showcase how to create, and share Vulnerability Exploitability eXchangedata, and automate the Software Bill of Materialscompliance process with AI models and a unified computational framework combining solutions for the following problems: (1) the data utilisation problem, (2) the automation and scaling problem, (3) the naming problem, (4) the alignment problem, (5) the pedigree, and provenance problem, and many other problems that are on the top of mind for many security engineers at present. The uptake of these findings will depend on collaborations with government and industry, and on the availability and the ease of use of automated tools.
Keywords
Artificial Intelligence and Machine Learning (AI/ML); Cyber vulnerability management; Software Bill of Materials (SBOM); Vulnerability-Exploitability eXchange (VEX); Common Security Advisory Framework (CSAF); Software Supply Chain Cyber Risk
Subject
Computer Science and Mathematics, Artificial Intelligence and Machine Learning
Copyright:
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.