Vulnerability assessments are difficult at the best of times, but a new report from Risk Based Security suggests that they might be even harder than you think. Relying only on the CVE vulnerability database during a vulnerability scan could leave you blind to a third of all security flaws, the company says.
Risk Based Security has an axe to grind. It sells vulnerability intelligence as a service, meaning that it wants you to view it as the ultimate authority. Nevertheless, the latest version of its quarterly report makes interesting reading.
“If your organization is currently relying on CVE (and most are), at least 33% of all disclosed vulnerabilities are completely unknown to you,” said the company's cofounder Jake Kouns in the report.
The problem, according to the report, is that Mitre’s CVE team is reactive, waiting for researchers and vendors to notify them of bugs so that they can be assigned a CVE number. That means if the researcher doesn’t inform Mitre and request a CVE, then the flaw won't make it into the CVE database at all. Instead, it might crop up in one of many other places, such as BitBucket, SourceForge, GitHub, or a vendor's own bug mailing list.
Risk Based Security also points out that many CVE bugs stay in 'reserved' status for considerable periods. A CVE flaw is reserved when details have not yet been published for security reasons. However, CVE is slow to process the details and update the CVE report for many bugs even after details are in the public domain, the report warns.
It's an interesting time to make criticisms like these. The CVE program, which Mitre (a non-profit) oversees for the federal government in the US, turned 20 last month. For years, it trundled along handling a relatively small number of vulnerabilities, but around 2017, the number of bugs that it logged grew by 128%. It now deals with substantially more bugs each year than it did in the past. Security bug processing slowed as the project found itself dealing with a bigger workload, and Congress investigated, leading to an ongoing series of performance reviews.
The CVE program has responded by increasing the number of CVE Numbering Authorities (CNAs), which are the organizations that can grant a CVE number for a reported security bug. Mitre is working hard to keep up with the increasing volume of bugs, but no one will deny that it’s a challenge.
