In the 22 years since the CVE Program began, there has been a long-standing gap between the number of vulnerabilities discovered and those that received a CVE ID. That gap has been large enough—30% to 50%—for some critics to complain that organizations sometimes struggle to keep their software secure through the CVE database.
That’s in large measure because of the exponential growth in the creation and use of software, particularly open source. Chris Fearon, director of research engineering with the Synopsys Software Integrity Group, noted that it’s tough for any organization to keep up with the explosive growth of vulnerabilities. “With increased adoption of open source software, it has become a target-rich landscape for attackers,” he said.
But MITRE has sought to address that gap by increasing the number of qualified CNAs through a federated model. Starting with an original 22 CNAs, there were 83 three years ago, and now they number at 158 in 26 countries.
Synopsys joins authorized commercial entities such as Linux, Red Hat, Google, and Microsoft as CNAs, which aim to close that gap.
And given that virtually every component of modern business is powered by software, the security of products, employee and customer records, online marketing, supply chains, financial records, and more depends on being able to identify and fix software vulnerabilities.