Fixing Vulnerabilities Costs 100x More If You Don’t Understand the Weakness
A study from the IBM System Science Institute states that fixing a defect via patching costs 100 times more than preventing it during the design phase. Vendors cannot design secure software if they do not know what weaknesses on which to focus. Knowing which weaknesses caused previously discovered vulnerabilities is an important part of creating more secure products in the future.
In July 2020, Google published “Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019” on its Project Zero blog. This blog post explores vulnerabilities that existed before a vendor had a fix, “zero days,” and were used in 2019. Unfortunately, Google’s post does not provide enough information to derive the detailed weaknesses exploited by the vulnerabilities listed. If the vendors of the vulnerable software released more information on these weaknesses, then all vendors could focus on removing those types errors in future designs, reducing the cost of software for, and increasing the safety for, users.
When looking though Google’s post, there is a lack of information to categorize the weaknesses that were leveraged in these zero days. As shown in the table below, almost half of the zero days (9) do not have enough information for the National Vulnerability Database (NVD) to assign a CWE number in the CVE. Among those that do have CWEs assigned, there is a lack of details about the underlying weakness(es) in the descriptions to ensure that a CWE assignment is accurate.
The most efficient and accurate way to obtain this weakness information is to have the system vendor provide it. The vendor knows the most about the vulnerability and the system it resides in. Therefore, they can do the best job pinpointing the actual weakness, especially after they produce a patch for the issue. NVD attempts to assign a CWE to each vulnerability included on the Common Vulnerabilities and Exposures (CVE) list. NVD does the best they can with incomplete information, but having others attempt to determine the weakness(es) leads to a higher chance of imprecise, incomplete, and incorrect weakness identification.
It is understood that certain information on how to exploit zero days before a patch exists needs to be released carefully, as one wants to both inform defenders while not helping inform additional exploit development. However, once a patch is released, many groups will reverse engineer that patch and learn how to exploit it. It is important that after a reasonable period — say three months — more details about the underlying weakness are added to the CVE description by the vendor. This additional detail will ensure accurate CWE identification and allow defenders to not only react to and mitigate a specific vulnerability, but to prevent the underlying problem(s) from existing in the first place.
If vendors provided more complete and detailed information, we as a community could improve security not only related to these vulnerabilities, but future ones. The security ecosystem could prioritize efforts towards the most dangerous weaknesses. Vendors could better educate their developers and create better tools to help eliminate future occurrences of these same weaknesses. This detailed information can play a part in the future security of their software and reduce the costs of having to re-code vulnerable software. Vendors could have spent 1% of what they spent on producing these patches while preventing attacks against their customers.
Everyone except the adversary wins when detailed weakness information is provided.
