[BreachExchange] Most Organizations Have Incomplete Vulnerability Information

Wed Nov 27 08:55:38 EST 2019

https://www.darkreading.com/vulnerabilities---threats/most-organizations-have-incomplete-vulnerability-information/d/d-id/1336460

Companies that rely solely on CVE/NVD are missing 33% of disclosed
flaws, Risk Based Security says.

A new report shows companies that rely solely on the Common
Vulnerabilities and Exposures (CVE) system for their vulnerability
information are leaving themselves exposed to a substantial number of
security issues they don't know about.

Risk Based Security's researchers have so far this year identified
5,970 more vulnerabilities than reported in the CVE and National
Vulnerability Database (NVD). Of them, 18.4% had a CVSS v2 score
ranging from 9 to 10, meaning they were considered critical. When
vulnerabilities with a severity rating of 7 to 9 were also counted,
some 43.5% of the 5,970 flaws not reported in the CVE/NVD system were
either high risk or critical. Flaws not listed in CVE/NVD included
those involving products from major vendors including Oracle,
Microsoft, and Google.

"Organizations that rely on vulnerability intelligence are dealing
with an alarming number of issues that impact all parts of their
infrastructure," says Brian Martin, vice president of vulnerability
intelligence at Risk Based Security.

CVE and NVD only include vulnerabilities that security vendors and
researchers directly report to them. As a result, thousands of flaws
that researchers discover and disclose in other ways are not getting
listed in CVE/NVD, he says. According to Risk Based Security,
organizations that rely solely on CVE/NVD likely miss 33% of all
disclosed vulnerabilities, on average.

Researchers can disclose vulnerabilities in different ways and
different places — from their own blogs to one of millions of
repositories on GitHub. "GitHub currently has over 100 million
repositories, and that is just a single site," Martin notes.
"Factoring in BitBucket, SourceForge, GitLab, and many others, the
amount of places a vulnerability may pop up is insane."

Researchers might blog about a vulnerability discovery but often don't
cross-post the disclosure to known vulnerability reporting sites such
as Bugtraq, Full-Disclosure, or PacketStorm. "Every week we find
around a dozen more sources like this, as well as new software being
released, or software and third-party libraries," Martin says.

In total, Risk Based Security's VulnDB team aggregated 16,738 security
vulnerabilities in the first three quarters of 2019. Nearly half — 48%
— had a severity score ranging from 6 to 10. Troublingly, exploit code
or proof-of-concept code was available for 39% of the disclosed flaws
that Risk Based Security's researchers counted for that time period.

Oracle topped the list of organizations with the most reported
security vulnerabilities. Risk Based Security's data showed the
company reported 969 security flaws in its products between Jan. 1 and
the end of September. Google, with 945 flaws, and SUSE, with 812
flaws, were in second and third place, respectively.

Both Oracle and Google moved up in Risk Based Security's Top 10 list;
last year Oracle ranked third and Google ranked fourth among companies
that disclosed the most security vulnerabilities in their products.
SUSE improved from topping the list last year to moving to the third
spot so far in 2019. Meanwhile, Microsoft, which often is perceived as
reporting more vulnerabilities than others, was in ninth spot with 485
vulnerabilities, while Cisco landed in 10th spot with 390
vulnerabilities.

As with last year, a majority of the disclosed bugs (10,868) over the
past three quarters impacted system integrity. About 1,800 impacted
availability and slightly more than 2,600 were related to
confidentiality.