├── .github └── workflows │ ├── cla.yml │ ├── publish-to-pypi.yml │ └── publish-to-test-pypi.yml ├── .gitignore ├── LICENSE ├── README.md ├── cla.md ├── dsram ├── __init__.py ├── likelihood.py └── severity.py ├── requirements.txt ├── setup.py └── signatures └── version1 └── cla.json /.github/workflows/cla.yml: -------------------------------------------------------------------------------- 1 | name: "CLA Assistant" 2 | on: 3 | issue_comment: 4 | types: [created] 5 | pull_request_target: 6 | types: [opened,closed,synchronize] 7 | 8 | jobs: 9 | CLAssistant: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: "CLA Assistant" 13 | if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' 14 | # Beta Release 15 | uses: cla-assistant/github-action@v2.1.3-beta 16 | env: 17 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 18 | # the below token should have repo scope and must be manually added by you in the repository's secret 19 | PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }} 20 | with: 21 | path-to-signatures: 'signatures/version1/cla.json' 22 | path-to-document: 'https://github.com/Deploying-Securely/DSRAM/blob/main/cla.md' # e.g. a CLA or a DCO document 23 | # branch should not be protected 24 | branch: 'main' 25 | 26 | #below are the optional inputs - If the optional inputs are not given, then default values will be taken 27 | #remote-organization-name: enter the remote organization name where the signatures should be stored (Default is storing the signatures in the same repository) 28 | #remote-repository-name: enter the remote repository name where the signatures should be stored (Default is storing the signatures in the same repository) 29 | #create-file-commit-message: 'For example: Creating file for storing CLA Signatures' 30 | #signed-commit-message: 'For example: $contributorName has signed the CLA in #$pullRequestNo' 31 | #custom-notsigned-prcomment: 'pull request comment with Introductory message to ask new contributors to sign' 32 | #custom-pr-sign-comment: 'The signature to be committed in order to sign the CLA' 33 | #custom-allsigned-prcomment: 'pull request comment when all contributors has signed, defaults to **CLA Assistant Lite bot** All Contributors have signed the CLA.' 34 | #lock-pullrequest-aftermerge: false - if you don't want this bot to automatically lock the pull request after merging (default - true) 35 | #use-dco-flag: true - If you are using DCO instead of CLA 36 | 37 | #Licensed from https://github.com/marketplace/actions/cla-assistant-lite 38 | -------------------------------------------------------------------------------- /.github/workflows/publish-to-pypi.yml: -------------------------------------------------------------------------------- 1 | name: Publish Python 🐍 distributions 📦 to PyPI 2 | 3 | on: push 4 | 5 | jobs: 6 | build-n-publish: 7 | name: Build and publish Python 🐍 distributions 📦 to PyPI 8 | runs-on: ubuntu-18.04 9 | 10 | steps: 11 | - uses: actions/checkout@master 12 | - name: Set up Python 3.9 13 | uses: actions/setup-python@v1 14 | with: 15 | python-version: 3.9 16 | 17 | - name: Install pypa/build 18 | run: >- 19 | python -m 20 | pip install 21 | build 22 | --user 23 | - name: Build a binary wheel and a source tarball 24 | run: >- 25 | python -m 26 | build 27 | --sdist 28 | --wheel 29 | --outdir dist/ 30 | . 31 | 32 | - name: Publish distribution 📦 to PyPI 33 | if: startsWith(github.ref, 'refs/tags') 34 | uses: pypa/gh-action-pypi-publish@master 35 | with: 36 | password: ${{ secrets.PYPI_API_TOKEN }} 37 | -------------------------------------------------------------------------------- /.github/workflows/publish-to-test-pypi.yml: -------------------------------------------------------------------------------- 1 | name: Publish Python 🐍 distributions 📦 to TestPyPI 2 | 3 | on: push 4 | 5 | jobs: 6 | build-n-publish: 7 | name: Build and publish Python 🐍 distributions 📦 to TestPyPI 8 | runs-on: ubuntu-18.04 9 | 10 | steps: 11 | - uses: actions/checkout@master 12 | - name: Set up Python 3.9 13 | uses: actions/setup-python@v1 14 | with: 15 | python-version: 3.9 16 | 17 | - name: Install pypa/build 18 | run: >- 19 | python -m 20 | pip install 21 | build 22 | --user 23 | - name: Build a binary wheel and a source tarball 24 | run: >- 25 | python -m 26 | build 27 | --sdist 28 | --wheel 29 | --outdir dist/ 30 | . 31 | 32 | - name: Publish distribution 📦 to Test PyPI 33 | uses: pypa/gh-action-pypi-publish@master 34 | with: 35 | password: ${{ secrets.TEST_PYPI_API_TOKEN }} 36 | repository_url: https://test.pypi.org/legacy/ 37 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DSRAM 2 | Deploy Securely Risk Assessment Model 3 | 4 | The purpose of the DSRAM (working title/acronym) is to allow information security professionals to evaluate the financial risk posed by individual vulnerabilities in a simple and, potentially, automated, manner. 5 | 6 | There are two primary modules: likelihood and severity. These are the two primary components of calculations allowing for the estimation of the financial value of risk. 7 | 8 | The likelihood module is built around the open-source Exploit Prediction Scoring System (EPSS), developed by the Forum of Incident Response and Security Teams (FIRST). The EPSS provides an estimate of the likelihood that a given Common Vulnerability and Exposure (CVE) will be maliciously exploited in the next 30 days. Although not provided by FIRST, the likelihood module also provides the estimated probability of exploitation in the next 365 days as well. 9 | 10 | The severity module helps to calculate the loss from the exploitation of a given vulnerability, using the confidentiality, integrity, and availability (CIA) triad. For considerations on what to consider when inputing the various values, please see https://haydock.substack.com/p/the-deploying-securely-risk-assessment. 11 | 12 | Finally, an interactive calculator implementing the modules is available via Google Colab: https://colab.research.google.com/drive/1q-04x9zgO9Nh5ap1XmkMJfwm-ahaqkce?usp=sharing. 13 | -------------------------------------------------------------------------------- /cla.md: -------------------------------------------------------------------------------- 1 | ### Deploy Securely Individual Contributor License Agreement (CLA) 2 | 3 | Thank you for your interest in contributing to open source software projects (“Projects”) made available by Walter H. Haydock (“Owner”). 4 | This Individual Contributor License Agreement (“Agreement”) sets out the terms governing any source code, object code, bug fixes, configuration 5 | changes, tools, specifications, documentation, data, materials, feedback, information or other works of authorship that you submit or have submitted, 6 | in any form and in any manner, to Owner in respect of any of the Projects (collectively “Contributions”). If you have any questions respecting this 7 | Agreement, please contact walter@deploy-securely.com. 8 | 9 | You agree that the following terms apply to all of your past, present and future Contributions. 10 | 11 | **Copyright License.** You hereby grant, and agree to grant, to Owner a non-exclusive, perpetual, 12 | irrevocable, worldwide, fully-paid, royalty-free, transferable copyright license to reproduce, 13 | prepare derivative works of, publicly display, publicly perform, and distribute your Contributions 14 | and such derivative works, with the right to sublicense the foregoing rights through unlimited tiers of sublicensees. 15 | 16 | **Patent License.** You hereby grant, and agree to grant, to Owner a non-exclusive, perpetual, irrevocable, 17 | worldwide, fully-paid, royalty-free, transferable patent license to make, have made, use, offer to sell, sell, 18 | import, and otherwise transfer your Contributions, where such license applies only to those patent claims 19 | licensable by you that are necessarily infringed by your Contributions alone or by combination of your 20 | Contributions with the Project to which such Contributions were submitted, with the right to sublicense the 21 | foregoing rights through unlimited tiers of sublicensees. 22 | 23 | **Moral Rights.** To the fullest extent permitted under applicable law, you hereby irrevocably waive all, and agree not to 24 | assert any, of your “moral rights” in or relating to your Contributions for the benefit of Owner, its assigns, and 25 | their respective direct and indirect sublicensees. 26 | 27 | **Representations.** You represent that you are the sole author of your Contributions and are legally entitled 28 | to grant the foregoing licenses and waivers in respect of your Contributions. If your Contributions were 29 | created in the course of your employment with your past or present employer(s), you represent that such 30 | employer(s) has authorized you to make your Contributions on behalf of such employer(s) - in a manner complying with this Agreement - or such employer 31 | (s) has waived all right, title, or interest in or to your Contributions. 32 | 33 | **Disclaimer.** To the fullest extent permitted under applicable law, Projects are provided on an "AS IS" 34 | basis, without any warranties or conditions, express or implied, including, without limitation, any implied 35 | warranties or conditions of non-infringement, merchantability or fitness for a particular purpose. Owner has 36 | no obligation to provide support for Projects. 37 | 38 | **Hold Harmless.** 39 | To the fullest extent not prohibited by law, You indemnify and hold harmless Owner, its directors, officers, agents, and, employees from and against all claims, damages, losses, and expenses (including but not limited to attorney’s fees) arising by reason of any act or failure to act, negligent or otherwise, of Owner, of any subcontractor (meaning anyone, including but not limited to consultants having a contract with Owner), of anyone directly or indirectly employed by Owner or by any subcontractor, or of anyone for whose acts Owner or its subcontractor may be liable, in connection with providing this Project 40 | 41 | **No Obligation.** You acknowledge that Owner is under no obligation to use or incorporate your Contributions 42 | into any of the Projects. The decision to use or incorporate your Contributions into any of the Projects will be 43 | made at the sole discretion of Owner or authorized delegates. 44 | 45 | **Assignment.** You agree that Owner may assign this Agreement, and all of its rights, obligations and licenses 46 | hereunder. 47 | 48 | **Disputes.** This Agreement shall be governed by and construed in accordance with the laws of the State of 49 | New Hampshire, United States of America, without giving effect to its principles or rules regarding conflicts of laws, 50 | other than such principles directing application of New Hampshire law. In the event that any of the provisions of this Agreement 51 | shall be held by a court or other tribunal of competent jurisdiction to be unenforceable, the remaining portions hereof shall remain 52 | in full force and effect. 53 | -------------------------------------------------------------------------------- /dsram/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /dsram/likelihood.py: -------------------------------------------------------------------------------- 1 | def get_all_epss(): 2 | # The Exploit Prediction Scoring System (EPSS) is an open source model provided by the non-profit 3 | # Forum of Incident Response and Security Teams (FIRST). 4 | # At a high level, the score refers to the probability (0-1 scale) that a Common Vulnerability and Exposure (CVE) 5 | # will be exploited by a malicious actor in the next 30 days. 6 | # Please see https://www.first.org/epss/model for additional details on how to interpet the results. 7 | # See this article for a high-level analysis: https://haydock.substack.com/p/deep-dive-into-the-epss. 8 | 9 | # Pandas is a very useful Python library for data manipulation, cleaning, and analysis. 10 | import pandas as pd 11 | 12 | # get EPSS data 13 | df_epss = pd.read_csv('https://epss.cyentia.com/epss_scores-current.csv.gz', compression='gzip', encoding='utf8') 14 | 15 | # Cleaning up the epss data 16 | df_epss = df_epss.rename(columns={list(df_epss)[0]: "epss_30_day",\ 17 | list(df_epss)[1]: "percentile"}) 18 | df_epss = df_epss.drop(index='cve') 19 | df_epss['epss_30_day'] = df_epss['epss_30_day'].astype(float) 20 | df_epss['percentile'] = df_epss['percentile'].astype(float) 21 | 22 | return df_epss 23 | 24 | def get_epss_30_from_cve_id(cve_id): 25 | import numpy as np 26 | try: 27 | result = df_epss.loc[cve_id]['epss_30_day'] 28 | except: 29 | result = np.nan 30 | return result 31 | 32 | def get_epss_30_percentile_from_cve_id(cve_id): 33 | import numpy as np 34 | try: 35 | result = df_epss.loc[cve_id]['percentile'] 36 | except: 37 | result = np.nan 38 | return result * 100 39 | 40 | def get_nvd_data(list_of_years): 41 | from urllib.request import urlopen 42 | from io import BytesIO 43 | from zipfile import ZipFile 44 | import pandas as pd 45 | 46 | counter = 0 47 | df = [] 48 | 49 | for year in list_of_years: 50 | url = 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-'+str(year)+'.json.zip' 51 | extract_target = 'nvdcve-1.1-'+str(year)+'.json' 52 | # Extracting zip file 53 | z = urlopen(url) 54 | stage_1 = z.read() 55 | stage_2 = (BytesIO(stage_1)) 56 | stage_3 = ZipFile(stage_2) 57 | stage_4 = stage_3.extract(extract_target) 58 | yearly_data = pd.read_json(stage_4) 59 | if counter == 0: 60 | df = yearly_data 61 | else: 62 | df = df.append(yearly_data) 63 | counter +=1 64 | 65 | # Flatenning CVE_Items 66 | CVE_Items = pd.json_normalize(df["CVE_Items"]) 67 | 68 | # Concatenating and cleaning up the data frame by dropping the original index as well as the nested JSON column 69 | df = pd.concat([df.reset_index(), CVE_Items], axis=1) 70 | df_cves = df.drop(["index", "CVE_Items"], axis=1) 71 | 72 | from datetime import datetime, timedelta 73 | import pytz 74 | df_cves['publishedDate'] = pd.to_datetime(df_cves['publishedDate']) 75 | now = datetime.utcnow().replace(tzinfo=pytz.utc) 76 | df_cves['cve_age'] = now - df_cves['publishedDate'] 77 | 78 | # Creating function to convert timedelta into float 79 | def timedelta_to_second(timedelta): 80 | return timedelta.total_seconds() / 86400 # number of seconds in a day 81 | 82 | # Converting timedelta to days (float) 83 | df_cves['cve_age'] = df_cves['cve_age'].apply(timedelta_to_second) 84 | 85 | # setting index to CVE ID 86 | df_cves = df_cves.set_index(['cve.CVE_data_meta.ID']) 87 | 88 | return df_cves 89 | 90 | def epss_365_day_from_epss_30_day(cve_age, epss_30_day): 91 | # This is VERY ROUGH, but essentially I developed an "exploitation curve" function to predict the likelihood of exploitation over time of a given vulnerability 92 | # According to Mandiant (https://www.mandiant.com/resources/time-between-disclosure-patch-release-and-vulnerability-exploitation), of all known vulnerabilities that are exploited, 93 | # 1/3 are exploited in the first week of identification, 94 | # 1/3 are exploited in the subsequent month (but excluding the first week), 95 | # and the remaining 1/3 are exploited after one month of identification. 96 | # This roughly corresponds to a function for risk_of_exploitation = .05 ^ (.0125 * CVE age in days) 97 | 98 | def exploitation_curve(cve_age): 99 | exploitation_curve_factor = 0.05**(0.0125 * float(cve_age)) 100 | return exploitation_curve_factor 101 | 102 | average_days_per_month = float(365.25) / float(12) 103 | 104 | # The below formaula annualizes the 30 day likelihood of exploitation, in accordance with https://math.stackexchange.com/questions/490859/calculating-probabilities-over-longer-period-of-time 105 | # Instead of taking 1 - probability of exploitation to the 12th power, however, I adjusted each monthly exploitation by the exploitation curve function. 106 | epss_365_day = float(1) - ((float(1) - epss_30_day) *\ 107 | (float(1) - epss_30_day * exploitation_curve(cve_age + average_days_per_month)) *\ 108 | (float(1) - epss_30_day * exploitation_curve(cve_age + (2 * average_days_per_month))) *\ 109 | (float(1) - epss_30_day * exploitation_curve(cve_age + (3 * average_days_per_month))) *\ 110 | (float(1) - epss_30_day * exploitation_curve(cve_age + (4 * average_days_per_month))) *\ 111 | (float(1) - epss_30_day * exploitation_curve(cve_age + (5 * average_days_per_month))) *\ 112 | (float(1) - epss_30_day * exploitation_curve(cve_age + (6 * average_days_per_month))) *\ 113 | (float(1) - epss_30_day * exploitation_curve(cve_age + (7 * average_days_per_month))) *\ 114 | (float(1) - epss_30_day * exploitation_curve(cve_age + (8 * average_days_per_month))) *\ 115 | (float(1) - epss_30_day * exploitation_curve(cve_age + (9 * average_days_per_month))) *\ 116 | (float(1) - epss_30_day * exploitation_curve(cve_age + (10 * average_days_per_month))) *\ 117 | (float(1) - epss_30_day * exploitation_curve(cve_age + (11 * average_days_per_month)))) 118 | 119 | return epss_365_day 120 | 121 | def non_cve_exploitability_score(user_interaction, privileges_required, attack_vector): 122 | if user_interaction: 123 | if privileges_required: 124 | if attack_vector == "adjacent_network": 125 | exploitability_score = float(0.009125) 126 | if attack_vector == "physical": 127 | exploitability_score = float(0.009484) 128 | if attack_vector == "network": 129 | exploitability_score = float(0.011233) 130 | if attack_vector == "local": 131 | exploitability_score = float(0.011900) 132 | if not privileges_required: 133 | if attack_vector == "adjacent_network": 134 | exploitability_score = float(0.020369) 135 | if attack_vector == "physical": 136 | exploitability_score = float(0.009634) 137 | if attack_vector == "network": 138 | exploitability_score = float(0.028147) 139 | if attack_vector == "local": 140 | exploitability_score = float(0.020971) 141 | if not user_interaction: 142 | if privileges_required: 143 | if attack_vector == "adjacent_network": 144 | exploitability_score = float(0.017078) 145 | if attack_vector == "physical": 146 | exploitability_score = float(0.012106) 147 | if attack_vector == "network": 148 | exploitability_score = float(0.020974) 149 | if attack_vector == "local": 150 | exploitability_score = float(0.011861) 151 | if not privileges_required: 152 | if attack_vector == "adjacent_network": 153 | exploitability_score = float(0.029069) 154 | if attack_vector == "physical": 155 | exploitability_score = float(0.010787) 156 | if attack_vector == "network": 157 | exploitability_score = float(0.028147) 158 | if attack_vector == "local": 159 | exploitability_score = float(0.011424) 160 | 161 | return exploitability_score 162 | -------------------------------------------------------------------------------- /dsram/severity.py: -------------------------------------------------------------------------------- 1 | def confidentiality_impact(records_at_risk, \ 2 | confidentiality_exposure_factor, \ 3 | data_type, \ 4 | custom_data_value = None): 5 | 6 | if custom_data_value: 7 | cost_per_record = float(custom_data_value) 8 | elif data_type == "Customer PII (non-anonymized)": 9 | cost_per_record = float(180) 10 | elif data_type == "Customer PII (anonymized)": 11 | cost_per_record = float(157) 12 | elif data_type == "Intellectual property": 13 | cost_per_record = float(169) 14 | else: 15 | cost_per_record = float(165) # Value for "Other sensitive data" 16 | 17 | confidentiality_cost = confidentiality_exposure_factor *\ 18 | records_at_risk *\ 19 | cost_per_record 20 | 21 | return confidentiality_cost 22 | 23 | def integrity_impact(discount_rate, \ 24 | records_at_risk, \ 25 | integrity_exposure_factor, \ 26 | integrity_recovery_days, \ 27 | integrity_recovery_cost_per_day, \ 28 | integrity_value_per_record_per_day, \ 29 | permanent_integrity_loss = False): 30 | 31 | if permanent_integrity_loss: 32 | integrity_cost = integrity_exposure_factor * \ 33 | ((records_at_risk * integrity_value_per_record_per_day * 365) / discount_rate) 34 | 35 | else: 36 | integrity_cost = integrity_exposure_factor *\ 37 | records_at_risk *\ 38 | (integrity_recovery_days * (integrity_value_per_record_per_day + integrity_recovery_cost_per_day)) 39 | 40 | return integrity_cost 41 | 42 | def availability_impact(availability_exposure_factor, \ 43 | availability_recovery_days, \ 44 | availability_recovery_cost_per_day, \ 45 | availability_value_per_day): 46 | 47 | availability_cost = availability_exposure_factor *\ 48 | availability_recovery_days *\ 49 | (availability_recovery_cost_per_day + availability_value_per_day) 50 | 51 | return availability_cost 52 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pip 2 | wheel 3 | twine 4 | pandas 5 | numpy 6 | re 7 | datetime 8 | pytz 9 | requests 10 | urllib.request 11 | io 12 | zipfile 13 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup, find_packages 2 | 3 | with open("README.md", "r") as readme_file: 4 | readme = readme_file.read() 5 | 6 | requirements = [] 7 | 8 | setup( 9 | name="dsram", 10 | version="1.0.5", 11 | author="Walter Haydock", 12 | author_email="walter@deploy-securely.com", 13 | description="A quantitative cyber risk management calculator", 14 | long_description="README.md", 15 | long_description_content_type="text/markdown", 16 | url="https://github.com/Deploying-Securely/DSRAM", 17 | packages=find_packages(), 18 | install_requires=requirements, 19 | classifiers=['License :: OSI Approved :: Apache Software License'], 20 | ) 21 | -------------------------------------------------------------------------------- /signatures/version1/cla.json: -------------------------------------------------------------------------------- 1 | { 2 | "signedContributors": [ 3 | { 4 | "name": "Walter-Haydock", 5 | "id": 41760518, 6 | "comment_id": 1074550668, 7 | "created_at": "2022-03-22T00:21:28Z", 8 | "repoId": 472500249, 9 | "pullRequestNo": 7 10 | } 11 | ] 12 | } --------------------------------------------------------------------------------