What You Don’t Know About The Vulnerability Ecosystem Can Lead To A Data Breach

I started working in vulnerability intelligence and running vulnerability databases more than 15 years ago. Recently, I paused to reflect on some of the changes to how vulnerabilities are being reported today versus at the beginning of my career. These changes greatly impact how I believe that organizations must deal with vulnerabilities reported in the products they use as well as the overall value of having access to a vulnerability intelligence solution.

More vulnerabilities are being reported than ever before

It is clear that a dramatic rise has occurred in the number of vulnerabilities reported over the past 15+ years. In 2000, the number of vulnerabilities reported was less than 3,500. In 2010, the number was a bit less than 10,000. At the time, that was considered a very surprising ceiling to break. In fact, the original designers of CVE thought the idea of having more than 9,999 vulnerabilities in a year so surreal that they opted for a fixed 4 digit identifier until being forced to change it a few years ago. Each year the number of reported vulnerabilities has been steadily rising with 2017 being another record-breaking year with more than 20,000 disclosed vulnerabilities.

There are various reasons for this increase in numbers, including but not at all limited to the significant increase in the amount of software created and published. Most organizations and security practitioners have recognized that identifying and addressing vulnerabilities is critical for good IT security. Realising this importance and the potential payday via bug bounty programs has attracted more vulnerability researchers, as it is an exciting field to be in, but the bar for finding vulnerabilities has also been lowered. This makes it possible for more hobby researchers to participate more so than in the past. This is in part due to more simple yet effective tools being released like afl-fuzz, a very popular fuzzer, as well as tools for auditing web applications, which still receive a lot of attention and continue to be riddled by basic vulnerabilities.

While more than 20,000 vulnerabilities is a high number to beat, with each year historically surpassing the previous one since 2011, it’ll be interesting to see what 2018 brings.

Vulnerability reporting has become more decentralized

Back in early 2000, an organization interested could generally cover the majority of reported vulnerabilities by monitoring a few mailing lists and a handful of the major vendors’ security pages. These days, vulnerabilities are reported in a greater variety of places. Where years ago the previously popular Full-Disclosure and Bugtraq mailing lists saw hundreds of reports every single month, they rarely get more than 100 posts a month these days – and sometimes only half of that.

This is a stark contrast to the sharp rise in the number of vulnerability reports. If vulnerabilities are no longer published on mailing lists, where are they then reported? The answer is: “Everywhere and anywhere.” Today, at Risk Based Security we are monitoring thousands of sources ranging from the classic mailing lists and vendor security pages to social media, the deep web, researchers’ own blogs, security companies’ advisory pages, product bug trackers, and commits. And we’re continuously adding new ones!

The quality of vulnerability reports has generally fallen

With so many vulnerabilities being reported and coming from so many different sources, it likely comes as no surprise that the quality of the average vulnerability report has dropped substantially. Poor vulnerability reports are published on a daily basis with various critical inaccuracies and omissions like affected version or references to available fixes. Other reports are outright invalid or duplicates of already known vulnerabilities. What makes matters more difficult and confusing for organizations is that some of these invalid reports and duplicates still end up with CVE identifiers assigned due to insufficient vetting.

The reasons for these problems with poor disclosures are many. Some reports are ambiguous or misleading due to the researcher not being a native speaker yet writing the report in English, though this is still often better than the cases, where it appears that Google Translate was used. Other vulnerability reporters just don’t seem to care and quickly publish a sloppy report, where half the relevant information is missing. Another growing group are those, who find vulnerability research exciting, but solely rely on fuzzers without understanding their findings. They tend to instead just publish the crash output with incorrect conclusions or as is without follow-up analysis.

Vulnerability researchers are hardly the only at fault, though. Many vendors continue to publish vague one-liners in their changelogs and commit messages if not seemingly trying to outright hide the fact that they fixed a security issue. Some major vendors are still notorious for having a lot of mistakes and discrepancies in their bulletins, while others like Microsoft have sadly devolved from providing detailed security bulletins to now just refer to almost everything as “memory corruption” without any details.

Whatever the reason is, the simple fact is that all of this means that a much larger and more costly effort needs to be put into finding and then digesting published vulnerability reports.

The vulnerability impact to organizations

Obviously, these three factors combined have a great impact to organizations trying to stay up-to-date on the latest vulnerabilities impacting their IT infrastructure. It makes the process a lot more difficult and resource intensive. To properly deal with this, organizations need to ramp up the assigned resources in their vulnerability management team or accept that they may miss a lot of relevant and potentially serious vulnerability reports.

Neither of these two options are great. The latter may ultimately lead to significant costs including liability if a compromise and data breach happens like the one at Equifax, where they failed to address a vulnerability reported in Apache Struts months prior to the compromise. The former option may be difficult, as the lack of qualified candidates and popular demand makes it hard to find qualified IT security people – and even if it’s possible, these resources don’t come cheap.

Fortunately, there is a third option that allows organizations to save critical resources for more important tasks by instead relying on a comprehensive and detailed vulnerability intelligence solution.

I’ve focused on vulnerability intelligence over my entire career, and I’d like to share just some of the benefits an RBS VulnDB Vulnerability Intelligence solution provides:

  • We monitor everywhere possible and all the products you care about
  • We standardise all the reports
  • We collect everything in one place
  • We assess the validity and accuracy of reports to a certain extent, correcting mistakes and weeding out invalid and duplicate reports
  • We add technical details that cannot be found in the original reports
  • We add a lot of extra metrics to help you better prioritize remediation including information about severity, exploit availability, and report confidence.
  • We provide metrics about how well a given vendor handles vulnerabilities in their products, so you know which vendors care the most about security
  • We provide metrics about the code maturity of a given product, so you know how secure it has been coded and how the vendor has invested into security
  • We provide metrics about vendors and products that are most likely to put your organization at risk for a data breach, which you cannot get anywhere else

We do all of this, so you don’t have to and can focus on the issues at your organization!

In the past, while still not advisable, it was possible for an organization to at least cover the basics themselves. These days it is too costly and resource intensive. It is no longer a question of “if you can do it yourself”, but “why would you even consider doing it yourself?

The precious and highly paid resources it requires to gather and assess reported vulnerabilities on a daily basis is too great, when the task can be outsourced for much less than the salary of a single employee. More importantly, it frees up these resources for more important tasks to secure your organization’s IT infrastructure. By getting the data from a provider such as VulnDB, your employees can focus on adding more value by determining how these vulnerabilities impact your organization and addressing them.

If you are not already implementing a vulnerability intelligence solution today, you should make it a priority to change that in 2018!

Carsten Eiram, Chief Research Officer