It would be hard to dispute that the CVE (Common Vulnerabilities and Exposures) program is a great concept: a “dictionary” of all known vulnerabilities in publicly released software or firmware so organizations can know what risks they are facing. There is much dispute, however, 18 years after the nonprofit research and development organization MITRE launched the program, about how well it is working.
According to a number of critics, it’s not doing very well. Joshua Corman, a founder of I Am The Cavalry and director of the Cyber Statecraft Initiative for the Atlantic Council, said in a keynote at the SOURCE Boston conference in April that identifying and cataloging CVEs has fallen behind – way behind.
“For all vulnerabilities disclosed anywhere, commercial databases currently track about 80 percent. CVE tends to have 60 percent of that 80 percent,” he said. “So when you make a risk decision, you’re doing it with a blind spot of about 50 percent. This is a too-big-to-fail thing. It’s like our bridges and tunnels collapsing,” he said, adding, “It is about to get a lot worse,” thanks to the continuing explosion of devices and accompanying vulnerabilities that comprise the Internet of Things (IoT).
CSO’s Steve Ragan, in a Salted Hash post last September, noted that, “the CVE system is faced with bottlenecks and coverage gaps, as thousands of vulnerabilities go without CVE-ID assignments. “These gaps are leaving business leaders and security teams exposed to vulnerabilities that their security products, which rely on CVE-IDs to function and assess risk, don't even know exist in some cases,” he wrote.
Some members of the CVE Board – which includes 25 members from multiple segments of the cybersecurity community – are critical as well. Brian Martin, vice president of vulnerability intelligence at Risk Based Security and an independent member of the board, says that according to a vulnerability database his firm compiled, the gap is not as extreme as Corman estimates, but is still significant.
“There are currently 52,913 vulnerabilities without a CVE identifier. That is out of 158,413 they have cataloged, making it about 33 percent missing,” Martin says. However, the percentage improvement, “has come at the cost of accuracy and quality.” Some CVE descriptions being published are essentially worthless to consumers, as they lack critical details and don't include references that would help them. “So to benefit from the CVE ID, consumers have to do more work and struggle to understand the issue,” he says, adding that, “MITRE is also still flip-flopping on their assignment and abstraction rules. In some cases they are assigning too many IDs to a group of issues, other times they are not assigning the proper year ID.”
Sign up for Computerworld eNewsletters.