Others say it’s more in the 35% range. Jennifer Lang, a spokesperson for MITRE, said some researchers and organizations that develop their own databases have different definitions regarding what constitutes a vulnerability. She said the “CVE community,” which includes MITRE, CVE Board members, CNAs (CVE numbering authorities), independent researchers, and stakeholders who use the database, “develops, agrees upon and evolves standards for determining what constitutes a vulnerability.”
A different set of rules, she said, would yield a different number of vulnerabilities.
Whatever the size of the gap, however, CVE Board members agree that there is one. But they say it is being addressed by increasing the number of CNAs, which expands the number of entities with the power to assign CVE IDs.
Last year, qualified CNAs included the DWF (Distributed Weakness Filing) Project, which is responsible for finding and identifying vulnerabilities in open source software, plus major companies such as Microsoft, Apple, and Google, whose role is to identify and catalog vulnerabilities found in their own products.
By last year, the number of CNAs had increased from an original 22 to 62. It is now up to 83.
In an interview this week, Kent Landfield, chief standards and technology policy strategist at McAfee and a founding member of the CVE Board, said there has been “a lot of really great work” done with an expanded number of CNAs.
“It’s also automating a lot of the tasks that were slowing things down,” he said.
Chris Fearon, manager of research engineering at Synopsys, said it is tough for any organization to keep up with the explosive growth of vulnerabilities. “With increased adoption of open source software, the OSS landscape has become a target-rich landscape for attackers,” he said.
But he agreed that many security researchers “have become frustrated with the MITRE approach. It has become a slow and difficult process to report and catalogue vulnerabilities, and this is partly due to resourcing constraints and CNA involvement,” he said.
Nabil Hannan, managing principal in the Synopsys Software Integrity Group, suggested that organizations could improve their security posture significantly just by getting control of the vulnerabilities that are already in the CVE database.
He said many of the “new” vulnerabilities reported aren’t really new, but simply new “flavors” or repackaging of existing ones.
“Most organizations still don’t have a handle on vulnerabilities that are known,” he said. “We’re still finding them in all the assessments we do—buffer overflows, memory dumps, and CSS.”
Landfield said everybody within the CVE community knows there are “many [vulnerabilities] that remain unidentified,” given that the Internet of Things (IoT) includes “smart cars, smart cities, smart everything.
“But I’m not into speculation about numbers,” he said, “and I believe in fighting the good fight.”
Whatever the gap between identified and CVE-cataloged vulnerabilities turns out to be, any organization trying to keep up with the ongoing explosive growth of the IoT attack surface needs resources to have any hope of dealing with the thousands of software defects that likely enter the production stream weekly.
And so far, it is tough to know what kind of money MITRE is working with. Those who know won’t say. Lang said MITRE defers all such questions to the Department of Homeland Security, which funds the CVE program. And DHS did not respond to a request for information about MITRE’s funding.
Landfield said while both MITRE and the NCCIC (National Cybersecurity and Communications Integration Center) have “done a great job” in pulling funding together from various accounts, he is not sure what its budget is either. He said he thinks the CVE program doesn’t even have its own line item.
“We need a line item,” he said. “I’d love to see discussion about that in Congress, especially when it’s so crucial.”
Fearon said that for now, any organization will need to rely on its own capabilities as well as the CVE or any other database. “The advice is to identify the technology and components in use that are most critical, and determine if you have the capability to monitor the security posture of those components in addition to leveraging MITRE/NVD,” he said.