Still relying solely on CVE and NVD for vulnerability tracking? Bad idea
2017 broke the previous all-time record for the highest number of reported vulnerabilities. The 20,832 vulnerabilities cataloged during 2017 by Risk Based Security (VulnDB) eclipsed the total covered by MITRE’s Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD) by more than 7,900.
“Incredibly, we see too many companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organization falling short year after year. While some argue that the CVE/NVD solution is ‘good enough’, that simply isn’t the case. Just look at the number of web and computer hacking data breaches reported on a regular basis. In addition to a false sense of security, the ‘good enough’ mindset often leads some to believe that the important vulnerabilities are covered, and that isn’t the case either”, said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.
In fact, the 7,900 vulnerabilities published by VulnDB in 2017 that are not found in CVE/NVD, impact prevalent products that are used in all sizes of organizations. While the number of CVE assignments continue to rise, the actual coverage still lags behind.
Of the more than 18,000 CVE IDs that were assigned or allotted to CVE Numbering Authorities (CNAs), almost seven thousand were in RESERVED status despite 1,342 of them having a public disclosure. This seems to indicate that MITRE is more focused on assigning and increasing the number of IDs, and not ensuring the quality of data.
39.3% of reported vulnerabilities received CVSS scores above 7.0. This means that not only has the number of vulnerabilities been increasing, but the CVSS scores are also trending higher over the last five years. In 2017, web-related issues accounted for over half of all vulnerabilities disclosed, 31.5% had public exploits, and 24.1% had no solution at the time of the report.
While relationships between researchers and vendors can at times appear strained, they are continuing to attempt to work together. Vulnerabilities disclosed in a coordinated fashion with vendors was relatively consistent at 44.8%, compared to 45.6% in 2016.
“From operating systems and software installed on client and server systems to IoT and SCADA devices, vulnerabilities continue to be a major concern. Using metrics to help determine which vendors and products are putting your organization at risk needs to be a key part of your vendor risk management and procurement process.”, says Carsten Eiram, Chief Research Officer.