NL2Vul: Natural Language to Standard Vulnerability Score for Cloud Security Posture Management

Abstract

Cloud Security Posture Management (CSPM) tools have been gaining popularity to automate, monitor and visualize the security posture of multi-cloud environments. The foundation to assess the risk lies on being able to analyze each vulnerability and quantify its risk. However, the number of vulnerabilities in National Vulnerability Database (NVD) has skyrocketed in recent years and surpassed 144K as of late 2020. The current standard vulnerability tracking system relies mostly on human-driven efforts. Besides, open-source libraries do not necessarily follow the standards of vulnerability reporting set by CVE and NIST, but rather use Github issues for reporting. In this paper, we propose a framework, NL2Vul, to measure score of vulnerabilities with minimal human efforts. NL2Vul makes use of deep neural networks to train on descriptions of software vulnerabilities from NVD and predicts vulnerability scores. To flexibly expand the trained NVD model for different data sources that are being used to evaluate the risk posture in CSPM, NL2Vul uses transfer learning for quick re-Training. We have evaluated NL2Vul with vanilla NVD, public Github issues of open source projects, and compliance technology specification documents.