The past two years have seen an explosion in the number of software vulnerabilities being published, jumping from 6,447 in 2016 to 14,714 in 2017. Seeing as 2018 beat out the previous year with 16,521 CVEs reported, we should prepare ourselves for plenty of patching ahead in 2019.
While factors like the adoption of automated Application Security Testing (AST) tools by more vendors and the absolute growth of code are definitely playing a bigger role in helping to uncover many of these vulnerabilities, there is a human component to this.
If we want to understand why something happens, we need to ask who benefits from finding and publishing more software vulnerabilities? The 30,000-foot answer is everybody because once we know that a vulnerability exists, we can start the work of fixing it in our software.
But if we drill down a bit, we can look at some of the more specific incentives. As the software industry has grown by leaps and bounds over the past two decades, it has brought more players to the table. Despite a significant deficit in the number of qualified folks to work in security positions, there are arguably now far more security researchers in the field than there were in the past, all of whom are helping to bring more vulnerabilities to light.
We need to also take a step back and consider the reality that finding security vulnerabilities is both sexy and downright valuable. As software vendors are becoming more security cautious — a trend that I believe to correlate with both the expansion of software users and the number of breaches of precious data in recent years — they are more willing to pay White Hats for vulnerabilities to be reported to them before they can be uncovered and exploited by hackers.
Meet your friendly neighborhood hacker: Your hired gun
We have seen a massive growth of security research firms who like to catch headlines whenever they uncover some CVEs in high profile software products like Windows or open source projects that are commonly used like the more recent FreeRTOS vulnerabilities. These discoveries help them to get their names out there and drum up some well-deserved business for their efforts, hopefully getting hired for a client’s internal investigative projects.
Bug bounty programs are probably also playing a significant part in helping to uncover more software vulnerabilities as they are tied to cash rewards. The rise of companies, like Hackerone and Bugcrowd just to name two of the biggest players, is helping to make this a more established field.
It should be said that there are a number of changes that we can consider to be cultural in nature surrounding security research. First is that in the bad old days, security researchers faced a higher risk of being prosecuted when they came to a company and told them about all of the bugs they had found in their software. Some of these companies thought that they could cover up the flaws in their software by discouraging researchers from poking around in it.
While this still occurs on occasion, companies have wised up to the fact that they are better off thanking or even paying these talented folks for bringing these risky bugs to their attention. Regulation like GDPR also provides a stick for companies who fail to notify when a breach occurs, imposing hefty penalties that make the cover-up often far worse than the crime.
The alternative to reporting these vulnerabilities was once the more common route for researchers, and that was selling them to the highest bidder on black markets. While there is a question about whether there has been a shift on the scale from vulnerabilities being sold illegally to more being reported is hard to ascertain given the opaqueness of that market.
What we can say though is that even as this still goes on, the opportunity to get paid legally and not get arrested seems to have drawn many former Black Hats over to the other side of the line.
Community policing: Open source takes care of its own
The people who contribute and help maintain open source projects are pretty passionate about being proactive members of the community. They believe in helping to make the projects better and stronger for others to use. These discoveries have wide-reaching effects since open source projects easily find their way into large commercial products that depend on open source projects to help solve problems and add features that in-house developers would have to otherwise write themselves.
Getting involved in finding vulnerabilities in open source projects can also be a great way for new researchers who are hoping to enter the security field can enhance their resume, which in turn will help them in the job hunt down the line.
Since enterprises are now openly talking about their open source usage, they are more actively contributing to its collective security through their support of organizations like the Linux Foundation’s Core Infrastructure Initiative (CII) and the Apache Foundation. As major users of open source components for their own code, enterprises understand that they need to have a direct hand in keeping it secure and usable. Not only is it good manners, but it makes business sense as well. Their help provides the financial backing that these projects need to make security a bigger priority. They also add a monetary incentive through bug bounties for open source projects through various initiatives, helping to bring more interested minds to the problem.
Sometimes you get what you need
Moving forward, we need to remember that even as a rise in CVEs can be eternally frustrating and means more remediation work, it is still far more preferable to deal with these vulnerabilities early before they are exploited by attackers.
Obviously, it would be great if there were no more vulnerabilities in our software, but there is a silver lining. If a vulnerability is reported, then it means that we at least know that it exists and can start working on protecting ourselves.
As more code is going to be written by humans, there will naturally be more vulnerabilities in our code. We need to encourage continued research for discovering vulnerabilities and getting the information out to the public so that organizations can stay a step ahead of the hackers, keeping themselves and their customers’ data safe.