Posted by Taylor Armerding on March 5, 2018
It’s hard to think of a better security concept than the CVE (Common Vulnerabilities and Exposures) program. It amounts to crowdsourcing security.
The idea is that everybody who finds an exploitable flaw or bug in software or firmware notifies a single organization—in this case, the nonprofit, federally funded MITRE Corp.—which maintains a database in which each vulnerability is assigned an identification number.
So you have thousands, maybe tens of thousands, of people pooling their research efforts to help everybody who uses software—which today is pretty much everybody.
The intended result: Any individual or organization that wants to know whether a product they’re using has software vulnerabilities can simply check the CVE database.
Except the reality hasn’t matched the intent, for quite some time. For years, critics of MITRE have complained that there is a major gap between the number of vulnerabilities discovered and those that MITRE gives a CVE ID. They are also critical of a similar government program called the National Vulnerability Database (NVD) maintained by NIST (National Institute of Standards and Technology), which is part of the U.S. Department of Commerce.
In the 19 years since CVE began, the gap has grown—to the point where the complaints, including some from members of the CVE Board itself, have become louder.
Joshua Corman, chief security officer and senior vice president at PTC and a founder of I Am the Cavalry, speaking last year at the SOURCE Boston conference, said those using the MITRE database were left with a “blind spot of about 50%.”
Others say it’s more in the 35% range. Jennifer Lang, a spokesperson for MITRE, said some researchers and organizations that develop their own databases have different definitions regarding what constitutes a vulnerability. She said the “CVE community,” which includes MITRE, CVE Board members, CNAs (CVE numbering authorities), independent researchers, and stakeholders who use the database, “develops, agrees upon and evolves standards for determining what constitutes a vulnerability.”
A different set of rules, she said, would yield a different number of vulnerabilities.
Whatever the size of the gap, however, CVE Board members agree that there is one. But they say it is being addressed by increasing the number of CNAs, which expands the number of entities with the power to assign CVE IDs.
Last year, qualified CNAs included the DWF (Distributed Weakness Filing) Project, which is responsible for finding and identifying vulnerabilities in open source software, plus major companies such as Microsoft, Apple, and Google, whose role is to identify and catalog vulnerabilities found in their own products.
By last year, the number of CNAs had increased from an original 22 to 62. It is now up to 83.
In an interview this week, Kent Landfield, chief standards and technology policy strategist at McAfee and a founding member of the CVE Board, said there has been “a lot of really great work” done with an expanded number of CNAs.
“It’s also automating a lot of the tasks that were slowing things down,” he said.
Chris Fearon, manager of research engineering at Black Duck by Synopsys, said it is tough for any organization to keep up with the explosive growth of vulnerabilities. “With increased adoption of open source software, the OSS landscape has become a target-rich landscape for attackers,” he said.
But he agreed that many security researchers “have become frustrated with the MITRE approach. It has become a slow and difficult process to report and catalogue vulnerabilities, and this is partly due to resourcing constraints and CNA involvement,” he said.
Nabil Hannan, managing principal in the Synopsys Software Integrity Group, suggested that organizations could improve their security posture significantly just by getting control of the vulnerabilities that are already in the CVE database.
He said many of the “new” vulnerabilities reported aren’t really new, but simply new “flavors” or repackaging of existing ones.
“Most organizations still don’t have a handle on vulnerabilities that are known,” he said. “We’re still finding them in all the assessments we do—buffer overflows, memory dumps, and CSS.”
Landfield said everybody within the CVE community knows there are “many [vulnerabilities] that remain unidentified,” given that the Internet of Things (IoT) includes “smart cars, smart cities, smart everything.
“But I’m not into speculation about numbers,” he said, “and I believe in fighting the good fight.”
Whatever the gap between identified and CVE-cataloged vulnerabilities turns out to be, any organization trying to keep up with the ongoing explosive growth of the IoT attack surface needs resources to have any hope of dealing with the thousands of software defects that likely enter the production stream weekly.
And so far, it is tough to know what kind of money MITRE is working with. Those who know won’t say. Lang said MITRE defers all such questions to the Department of Homeland Security, which funds the CVE program. And DHS did not respond to a request for information about MITRE’s funding.
Landfield said while both MITRE and the NCCIC (National Cybersecurity and Communications Integration Center) have “done a great job” in pulling funding together from various accounts, he is not sure what its budget is either. He said he thinks the CVE program doesn’t even have its own line item.
“We need a line item,” he said. “I’d love to see discussion about that in Congress, especially when it’s so crucial.”
Fearon said that for now, any organization will need to rely on its own capabilities as well as the CVE or any other database. “The advice is to identify the technology and components in use that are most critical, and determine if you have the capability to monitor the security posture of those components in addition to leveraging MITRE/NVD,” he said.
Get the latest Software Integrity news, thought leadership, and more.