Thursday, March 21, 2024

Bad security news

This is really bad - the National Vulnerability Database is jacked up:

Vital data used to protect against cyberattacks is missing from more than 2,000 of the latest entries in the world’s most widely used vulnerability database.

A significant number of new CVEs (common vulnerabilities and exposures) added to the National Vulnerability Database (NVD) in recent weeks have lacked enrichment data — details necessary for researchers and security teams to understand the bugs.

The NVD was established in 2005 by the U.S. National Institute of Standards and Technology (NIST) and last year alone, information on more than 29,000 discovered flaws was added to the database.

It is hard to overstate just how important the NVD is to the security industry and to organizations in general. The issue really comes from the explosion of reported vulnerabilities: from around 1,000/year in the 1990s to over 20,000/year today. That's a lot of analysis that is needed.

I hear rumors that NIST has had a budget cut, but quite frankly this doesn't get to the heart of the issue which is that the software industry is not covering the cost of the vulnerabilities that they release. This is an interesting potential solution:

John Pescatore, SANS Technology Institute director of emerging security trends, drew a comparison between cybersecurity and road safety.

“For automotive ‘vulnerabilities’ (recalls) that have to be fixed, vehicle manufacturers are required to notify the National Highway Traffic Safety Administration, who has maintained an easy to use database. Those manufacturers also have to pay for the vehicles to be fixed! The NHTSA had a 40-year head start over NIST/NVD, but it really is time for legislation to treat software more like we treat vehicles.”

Right now there is no cost to a company that releases bug-filled software - the cost is born by NIST. I'm not sure that a "Software recall" is the right way to approach this, but a (say) $10,000 charge for each vulnerability doesn't seem unreasonable. Non-commercial software could be for no charge, but the bulk of the CVEs are against software that is sold.

Likely there are other funding solutions, but like I said at the beginning it's hard to overstate just how important the NVD is to companies IT Security programs. Something needs to change. 

 

 

 

 

3 comments:

  1. What needs to change is our complacency. Regardless of what happens, we must always assume we are being watched land/or overheard.

    And that is only half the problem. In today’s North America, the authorities regularly attack our own people by fabricating evidence and conducting kangaroo courts, witch hunts, and show trials. Unfortunately there is only one defence against tactics like that… and cyber security is at the bottom of that particular list.

    ReplyDelete
  2. Google's not going to care about a $10,000 fine. Make it, say, 1% of gross revenue of the last 365 days.

    ReplyDelete
  3. How many of the issues are a result of action by government agencies demanding access?
    Not that the FBI nor the DoJ nor the CIA would EVER do any such thing, of course!

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.