This morning (Chicago time), I participated in an excellent webinar that was part of Infosecurity Magazine’s 2-day Online Summit. If you missed it, the recording is already available (separately from the other presentations in the Summit) here. Besides me, the guests included Rose Gupta, Senior Security Engineer of Assured Partners, and Lindsey Cherkovnik, Branch Chief, Vulnerability and Coordination of CISA.
Rose provided a very articulate discussion of the challenge of
putting together a vulnerability management program for a medium-to-large-sized
organization (especially given the current problems with the NVD). It was refreshing
to have a true end user perspective in the webinar, since it’s unusual to hear such
a perspective in a security webinar (or even just a security discussion) today.
Lindsey, who is responsible for KEV (a very successful
program, IMO) and CISA’s coordination with CVE.org (which CISA funds), revealed
some of the big challenges that CISA and CVE.org face. Besides the big slowdown
in the NVD that started in February (which is still largely unexplained),
there has been a huge increase in the number of new CVEs reported (an estimated
36,000 for 2024, vs. about 29,000 in 2023. That’s on top of about 25,000 in
2022).
Of course, the fact that reported CVEs are increasing is
good news, even though it might at first appear otherwise. It’s unlikely that
software developers have suddenly had all the knowledge of good coding
practices they’ve accumulated over the years wiped from their brains, so they
now turn out software that’s loaded with vulnerabilities. Au contraire, the
developers are probably a) more aware than ever of weaknesses in their software
and b) more willing than ever to inform their customers (and the rest of the world)
about a vulnerability after they have made a patch available for it.
Lindsey also pointed to some good news regarding the CNAs –
CVE Numbering Authorities. The CNAs are the organizations
(now numbering over 400) that assign CVE numbers (e.g., CVE-2024-12345) to new
vulnerabilities and create a CVE report for each new CVE. They include large
software developers like Microsoft, Red Hat, Oracle and HPE (who mostly report
vulnerabilities in their own products), as well as other organizations like
GitHub, CISA, MITRE, Amazon and Apache Software Foundation.
The CVE report consists mostly of text when the CNA uploads
it to CVE.org; the text describes the vulnerability and identifies one or more
products that are vulnerable to it. However, after CVE.org loads the report in
their own database, they pass it on to the NVD. Until February 12 of this year,
the NVD almost always added three types of machine readable information
to the report (a process called “enrichment”):
1.
CWEs (Common Weakness Enumeration),
2.
CVSS (Common
Vulnerability Scoring System); and
3.
CPE (Common
Platform Enumeration).
In February, the NVD drastically
slowed the rate at which they added these three pieces of information to CVE
reports that they received from CVE.org. As a result of this slowdown, there
are now over 18,000 “unenriched” CVE records in the NVD, which lack these three
types of information; these CVE records are essentially invisible to automated searches
of the NVD.
For example, suppose a user searches
the NVD today for the CPE name of a product they use, and that product has been
named in the textual discussion in five CVE reports since February 2024. Since
the NVD has enriched fewer than 20% of CVE records this year, that means it’s unlikely
the search will locate even one of those CVEs. Thus, the user will go blissfully
on their way, thinking their product is quite secure, when in fact it has at
least four unpatched vulnerabilities they don’t know about. And since the backlog
of unenriched vulnerabilities is increasing almost every day, this problem will
only grow over time.
In April 2024, CVE.org (aka the CVE
Program) decided that the CNAs should start adding at least the first two of
the three items listed above, CWE and CVSS score, to each CVE report that they
create. Since the CNA is often the developer of the vulnerable product, it
makes sense that they should understand the cause (CWE) and severity (CVSS
score) of the CVE described in the report. What was interesting was that the
CVE program didn’t require the CNAs to do this, by for example threatening
to reject any CVE report that didn’t include those two items.
Instead, the CVE program decided
to use positive reinforcement to obtain their goal. Rather than beating the
CNAs upside the head to get them to do this, they announced they would publish
a “CNA
Enrichment Recognition List” every two weeks; CNAs that had included a CWE
and a CVSS score on 98% of the CVE reports that they had submitted during the two
week period will be recognized in the list published for that period.
In the webinar, Lindsey announced
(proudly, I might add) that there were over 100 CNA names on the list for
the first two week period, which was released yesterday. Since there are over
400 CNAs now, it might seem that 100 isn’t something to be proud of. However, a
lot of CNAs don’t create any CVE reports in a given two-week period. The fact
that about a quarter of those who did create one or more reports enriched them
98% of the time is quite impressive. It shows that the CNAs were strongly motivated
to do this even though, of course, they received no material reward (don’t be
fooled by the fact that the program had “enrichment” in the title. This is the
government, after all!).
It's nice to have good news every
now and then. It breaks the monotony.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum and its Vulnerability Database Working Group. These two
groups work to understand and address issues like what’s discussed in this
post; please email me to learn more about what we do or to join us. You can
also support our work through easy directed donations to OWASP, a 501(c)(3)
nonprofit, which are passed through to the SBOM Forum. Please email me to
discuss that.
My book "Introduction to SBOM and VEX"
is available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment