Nerd For Tech
Published in

Nerd For Tech

Trying to close the expanding software bug ID gap

“If it ain’t broke, don’t fix it,” is one of the all-time common-sense clichés. Which makes the corollary true as well: If it is broke, fix it.

But what if you don’t know it’s broke? It would help if somebody would let you know.

And in the world of software, issuing those warnings is the goal of the Common Vulnerabilities and Exposures (CVE) Program, launched in 1999.

The need is obvious. Software essentially runs the modern world. It’s everywhere and in just about everything. It’s also made by humans, which means it’s not perfect. If those imperfections can be exploited by hackers, it could put you, your organization, and your customers at risk.

So one never-ending scramble in the industry is to provide patches or updates to fix vulnerabilities as soon as possible after they’re discovered. But of course, the people and organizations using the software have to install those patches and updates.

Hence the ongoing mantra from security experts: Keep your software up to date. Fix it, in other words.

The CVE Program is meant to help with that. It pools the efforts of qualified experts called CVE Numbering Authorities (CNAs) to notify a single organization about any exploitable flaws or bugs in software or firmware that they find.

That organization, the nonprofit, federally funded MITRE Corp.,maintains a database in which each of those vulnerabilities is assigned an identification number and given a severity ranking. It’s a lot like crowd-sourcing security.

The CVE list is also fed into the National Vulnerability Database (NVD), operated by NIST (National Institute of Standards and Technology) within the U.S. Department of Commerce. In 2020, the NVD logged 18,335 vulnerabilities, with 4,380 ranked as “severe.”

Great concept but …

It’s a great concept — bad guys pool their resources so why not the good guys?. But the struggle for the past decade has been to keep up with the exponential growth of software, and its inevitable vulnerabilities. The “crowd” of CNAs hasn’t been big enough, creating a gap between the total number of vulnerabilities discovered and those given a CVE ID that has ranged from 30% to 50%. According to one estimate in 2017, there were nearly 53,000 vulnerabilities without a CVE identifier out of more than 158,000 cataloged.

In response, MITRE has been growing its CNA forces, big time. From an original group of just 22, the number of CNAs was up to 83 fouryears ago and is now at 161 in 26 countries. The Synopsys Software Integrity Group’s Cybersecurity Research Center (CyRC) was recently designated a CNA. (Disclosure: I write for Synopsys)

The CNAs aren’t hired by MITRE. They’re really not even contractors. They’re all volunteers, in it for the benefit of themselves and the software industry at large. As Jason Schmitt, general manager of the Synopsys Software Integrity Group, put it in an announcement of the designation, “vulnerability research is part of our DNA. As a CNA, we can more effectively and efficiently disseminate the results of our research to our customers and the software community in general.”

There are multiple types of CNAs, some higher-level than others, including “Root” and “Top-Level Root,” but all are assigned a “scope of responsibility.” For Synopsys, that scope is all of the company’s Software Integrity Group’s products plus “vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope,” according to MITRE.

The scope is also defined in part by the multiple types of CNAs. They include:

  • Bug bounty programs: Assign CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
  • Hosted services: Assigns CVE IDs for vulnerabilities found in their own services.
  • National and industry computer emergency response teams (CERTs): Performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
  • Vendors and projects: Assign CVE IDs to vulnerabilities found in their own products and projects.
  • Independent vulnerability researchers: Assign CVE IDs to products and projects on which the individual performs vulnerability analysis. Independent vulnerability researchers need approval by the CVE Board.
  • Organizational Vulnerability Researchers: Assign CVE IDs to products and projects on which they perform vulnerability analysis.

There are requirements to qualify as a CNA, but they aren’t even close to onerous. Jo Bazar, cochair of the CVE Program’s Outreach and Communications Working Group, said the goal is to “make participation easy.”

Organizations must have a public vulnerability disclosure policy, have a public source for new vulnerability disclosures and be able to create CVE ID records from examples.

Beyond that, representatives of an applicant organization simply need to fill out a registration form, attend an introductory session and agree to the CVE terms of use.

And while it’s not a requirement to participate, Ben Ronallo, program manager with the Synopsys Software Integrity Group, noted that there are multiple working groups open to CNAs, including those focused on automation, strategic planning and quality.

More isn’t enough

All of which leads to the obvious question: How is it all working?

That question gets mixed replies — very mixed replies — from security experts. While the CVE Program has increased the CNA ranks by more than a factor of seven since its start, it is not nearly enough to keep pace with the exponential growth in vulnerabilities.

Art Manion of the CERT Coordination Center, Carnegie Mellon Software Engineering Institute and also a CVE board member, said the program is working “and the principle behind it is sound. Vendors — suppliers, developers, maintainers — are responsible for their software, which includes vulnerabilities in their software. Part of resolving vulnerabilities is publicly documenting them, and CVE is meant to be the global public vulnerability catalog.”

But he acknowledges the growth in CNAs is not enough. “Lots of vulnerabilities are publicly disclosed without CVE IDs,” he said. “Last I looked ‘lots’ was thousands per year. This is a serious gap, and a significant underestimation of risk.”

Kurt Seifried, chief blockchain officer and director of special projects at the Cloud Security Alliance, who also runs Open Source Security with colleague Josh Bressers and who is a former CVE board member, said it is worse than that. “CNAs have expanded but CVE ‘production’ has flatlined,” he said, noting statistics that Bressers cited in a blog post showing that while there was a significant jump in CVE IDs in 2017 when the number of CNAs had jumped from 22 to 83, they have slightly declined since then.

And while he doesn’t have a verifiable figure, Seifried said his “back of the envelope” calculation of the number of CVE IDs needed in a given year is in the 1 to 10 million range. “That’s for the stuff that matters,” he said.

But Bazar said “it’s impossible to know how many vulnerabilities exist,” noting that in “an ever-expanding global marketplace” there are wide variances among organizations in the maturity of their security practices.

“The real numbers are unknown,” she said, but acknowledged that “in all likelihood, there will always be opportunities for us to increase reach and coverage.”

Pete Allor, director of product security at Red Hat (which has a seat on the CVE board), said the CNA expansion is “by design for multiple reasons and is helping the program achieve the desired results.”

“The major reason for the change is to put product vendors in a position to input their data and reduce rescoring (of severity) by the NVD,” he said. “It also removes MITRE, which is a federally funded research and development center, from handling operations directly and orient itself back to its chartered business of researching.”

That, he said, means MITRE will no longer assign CVE IDs and will become more of a “secretariat” for the CVE Program.

“The essence then, is that a CNA has a specific scope of what it covers and is the authoritative source for that scope,” he said.

Bring on automation

Still, whatever the gap between total vulnerabilities and those assigned CVE IDs, addressing it will require at least another exponential jump in the number of CNAs.

And even that won’t close the gap, according to Manion, Bessers and Seifried. Manion recommended several years ago that the program use automation to assign IDs. But that, he said “hasn’t happened yet, and I don’t believe is being actively explored.”

“I think part of this problem goes back to the quality/quantity/speed tradeoffs,” he said. “There may not yet be appetite for publishing lots of machine-discovered and populated CVE IDs of questionable quality.”

There may be no way around some compromise on that, however. As Bressers put it in his blog, “All of the IDs are hand-crafted by humans (and) humans don’t scale.”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store