IEEE CloudCom has been a prime international forum for researchers and industry professionals to exchange the latest technological advances in the state of the art and practice of cloud computing. Last year, the conference was held in Bangkok, Thailand, at the Millennium Hilton Bangkok from December 13–16, 2022. With more than 40 research papers submitted, riveting research tracks such as Cloud infrastructure & Operation and Management, Cloud Services & Applications, Security Privacy & Trust, Edge Computing & IoT Distributed Cloud, and Workshop & Open Infrastructure were discussed. On the subject of Security Privacy & Trust, one of our students, Kietthibhum Boonchuay, submitted a research paper on “Software Vulnerability Assessment: Vendor, Scanner, and User Analysis”. The content of Kietthibhum's article is summarized below. 

Software vulnerabilities can lead to serious cybersecurity exploits and compromises, damaging businesses and their reputations. Software is made by human programmers, thus, it will always be prone to vulnerabilities due to human error and/or lack of foresight on the part of its designers. Current software systems are exceedingly complex. Operating systems contain billions of lines of code, which host many middleware components or libraries. These middleware or libraries are needed to run software applications that users are familiar with, like browsers and desktop/mobile applications. Because of the code base's size and complexity,  there are many opportunities for the introduction of software vulnerabilities. Researchers from academia and business corporations are collaborating to find zero-day vulnerabilities. If a vulnerability is identified and made public, everyone, including attackers, will be aware of it, and it may be taken advantage of. This initiates a race between software developers and malicious third-party hackers, the former desiring to patch the vulnerability and the latter wishing to exploit it. In this assessment, the main objective is to comprehend how vulnerable current, widely-used software is to modern cyberattacks.

‍

The process of software vulnerability discovery and repair is as follows. Experts must first identify vulnerabilities, confirm them, and then notify the software vendor of their existence. It is also possible, however, for the software vendor to identify the vulnerabilities by themselves. Before the vulnerability in the software is made public, the software vendor is given a set amount of time to patch it. If the software vendor fails to release the patch within this period, the vulnerability will then be made public without the vendor's patch. Once the patch is complete, the vendor will then release it to the public. Users may then manually download the patch or allow their software to apply it in an automatic update. 

‍

In addition to manually finding vulnerabilities, a vulnerability scanner, if one exists, can be used to detect some vulnerabilities presented in the software installed on a system. Software scanners such as MDE or Qualys are oftentimes used in this scenario. However, there are instances where software vendors could release a patch to secure the vulnerability before software scanners could discover the vulnerabilities. 

‍

After gathering information from thousands of computers and data over the course of five months, Kietthibhum's research has found that the optimal way for software vendors to secure their software is to release patches via an auto-update function, making the software self-update without the users having to do it manually. However, in the case of some software that lacks this feature, it is still in the user's best interest to apply the update themselves when they are notified of a vulnerability patch. 

‍