Each year, organizations are exposed to thousands of vulnerabilities that go unreported by mainstream sources of such information, according to a new report from security information provider Risk Based Security.
The two sources that security practitioners and developers commonly consult are the Common Vulnerability Enumeration (CVE) program, run by Mitre, a not-for-profit company that operates multiple federally-funded research and development centers, and the National Institute of Standards and Technology's National Vulnerability Database (NVD).
But CVE and NVD miss a lot, says Risk Based Security, and solely depending on them can leave an organization open to risks posed by unreported vulnerabilities. In its year-end tally, for example, Risk Based Security cataloged 20,832 vulnerabilities for 2017—7,900 more than were reported by NIST and Mitre.
If your vulnerability intelligence solution didn't offer information on the more than 20,000 vulnerabilities disclosed in 2017, your organization is at an increased risk, said Brian Martin, vice president of vulnerability intelligence at Risk Based Security.
“Incredibly, we see too many companies still relying on CVE and NVD for vulnerability tracking, despite the US government-funded organizations falling short year after year."
—Brian Martin
The good news: There are things you can do to mitigate risk even from vulnerabilities you don't know about. Here's a rundown from top vulnerability experts.
Not good enough
Martin says there's a perception in some organizations that Mitre and the NVD provide a "good enough" solution for addressing vulnerability issues. That's simply not the case when you consider the number of hacking data breaches being reported on a regular basis, he adds.
"In addition to a false sense of security, the 'good enough' mindset often leads some to believe that the important vulnerabilities are covered, and that isn’t the case."
—Martin
Risk Based Security found that nearly 40% of the vulnerabilities it discovered had a CVSS severity score of over 7.0 of of 10 (CVSS is a free, open industry standard for assessing the severity of computer system vulnerabilities).
Apples and oranges
One reason for the vulnerability gap between Risk Based Security and Mitre's CVE program could be how the two organizations define flaws.
"The CVE program has no basis to validate or dispute the assertions made in the report," said Mitre spokesperson Jennifer Lang. "It is unclear whether it adhered to the practices and norms of the CVE program for determining what constitutes a vulnerability, or if the originator of the data applied a different set of rules for determining what constitutes a vulnerability in their operating space.
"If they chose a different rule set, it is quite understandable that their results would differ," she said.
Risk Based Security defines vulnerabilities as Mitre does, but it "abstracts" vulnerability issues differently, Martin said. For example, if there are 10 issues in a disclosure, Mitre might treat that disclosure as a single CVE, while RBS creates 10 vulnerability entries, one for each issue.
Another possible explanation for the discrepancy is that flaws from several platforms, such as Google Android, weren't added to the CVE program until this year. "Many of the phone platforms weren't being tracked in 2017," said Chris Goettl, director of security product management at Ivanti, a maker of security and management software.
An important part of the Mitre and NIST programs is the use of CVE Numbering Authorities (CNAs), which feed vulnerability data to the programs. That can become a problem. "There are too many vendors not properly maintaining and disclosing vulnerabilities," Goettl said.
"Mitre and NVD have done their part by creating a platform. They can't research every product on the market. I don't think we can blame them for vendors who refuse to participate."
—Chris Goettl
Both Mitre and NVD continuously improve the publishing process while maintaining the integrity of the data they collect, said Michael Cooper, security testing group manager for NIST's Information Technology Lab.
"The efforts to bring more CNAs online and to work with them on the proper level of detail needed has shown undeniable positive results. This can be seen in the increase in vulnerabilities published between 2016 and 2017, which is significantly more than double."
—Michael Cooper
How to mitigate the risk from unreported vulnerabilities
Organizations concerned with the risks posed by unreported vulnerabilities can adopt several strategies.
Asset management, for instance, is important for any organization concerned about the risks posed by unreported vulnerabilities. "You need to know what software titles are on your network," Invanti's Goettl said.
"Get rid of outdated software. Uninstall software that's not being used. You can mitigate or reduce risk with every application you remove."
—Goettl
Software in use needs to be kept up to date. "If there are no CVEs associated with the software, that doesn't mean there are no vulnerabilities," Goettl warned. "It may mean the vendor isn't disclosing vulnerabilities. Making sure applications are updated to the latest versions available is a way to mitigate risk for applications that don't disclose vulnerabilities. "
Even if a vendor is conscientious about disclosing vulnerabilities, it's still a good idea to keep programs current.
"A common misconception is that vulnerabilities don’t exist unless they have a CVE. This is untrue. In fact, vulnerabilities exist and are exploited prior to them being discovered by either a product vendor or an independent researcher."
–Jennifer Lang
In addition, companies concerned about protecting themselves from vulnerabilities unreported in the CVE program or the NVD can seek additional vulnerability intelligence from a third-party vendor or set up their own vulnerability team, although that can be an expensive proposition.
There are those, however, who believe organizations spend too much time chasing vulnerabilities.
Focus on how security tools work during an attack
Organizations need to stop measuring security effectiveness based on chasing vulnerabilities, patches, and lagging indicators of compromise, said Brian Contos, CISO of Verodin, a network security company.
Organizations need to start managing, measuring, and improving security effectiveness by looking at how their security controls operate under attack in their production environments and calibrating those security tools, so they are actually providing value, he continued.
"We tend to base security on the assumptions that our endpoint, email, network, and cloud security tools are doing what we want. Our assumptions are wrong. The sad truth is, in most cases, you're lucky if you’re getting more than 25% of the value out of any of your security tools."
—Brian Contos
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
