CVE controversy creates opportunity to improve

An intense debate over how best to administer the tracking of common vulnerabilities and exposures (CVEs) is now underway following a last-minute decision by the Trump administration to continue funding this effort for the next 11 months.

Today, CVEs are each given a unique name under a federally funded program administered by the MITRE Corporation. Any new vulnerability that is discovered can be reported to a CVE Numbering Authority (CNA) that helps administer the program. That data is then widely shared with cybersecurity vendors that use that information to alert customers and, if available, help remediate the root cause of the issue.

There are, however, other approaches to tracking CVEs. For example, a nonprofit CVE Foundation has now been formed to champion an alternative approach to manage this process. The board members of the CVE Foundation thus far include cybersecurity professionals from a variety of tech companies, as well the Cybersecurity Infrastructure and Security Agency (CISA) and the National Institute of Standards and Technology (NIST).

It’s not clear to what degree the U.S. government will support this initiative, but other governments around the world have been clearly concerned about how the CVE process is being managed. For example, last year The European Union (EU) set up the European Union Agency for Cybersecurity (ENISA) to administer the European Union Vulnerability Database (EUVD). Similar to the National Vulnerability Database (NVD) set up by the U.S., EUVD organizes issues by their CVE-assigned unique ID, documents their impact, and links to advisories and patches.

Potential for a change in approach to CVEs

It may be a while before any type of consensus is reached about how best to administer the reporting of CVEs, but when all is said there may be an opportunity for improvement. Many cybersecurity researchers are now incentivized to discover potential vulnerabilities that may not be especially critical. In fact, it’s not uncommon for severity ratings attached to CVEs to be hotly disputed in an era where cybersecurity researchers are competing with one another to discover the next big threat.

The severity rankings of CVEs are also a source of contention between cybersecurity teams and application development teams. Many application developers resent tracking down vulnerabilities only to discover they are accessible in rare instances. Most developers can only allocate so much time a month to creating fixes for existing applications, so when those efforts are wasted they tend to pay even less attention to alerts.

Eventually, advances in artificial intelligence will soon make it easier to not only discover vulnerabilities but also remediate them by surfacing snippets of code that can be easily applied without breaking an application.

In the meantime, however, cybersecurity teams should pay closer attention to how the CVE process is managed. Identifying threats based on severity rankings attached to tracking CVEs is not sufficient. An analysis of 110 million security alerts conducted by OX Security, for example, found only 2% to 5% require immediate action, with more than 95% considered informational. That doesn’t mean alerts should be ignored, but it does make it clear they need to be carefully assessed before cybersecurity teams decide to pull any proverbial fire alarms.