A vulnerability is a weakness or flaw in a system, application, hardware, or process that can be exploited by an attacker to cause damage or gain unauthorized access.
These weaknesses can arise due to design flaws, implementation defects, or inadequate security measures.
Understanding and managing vulnerabilities is crucial for protecting organizations' information and resources.
Vulnerabilities in dependencies and SBOMs
Modern software projects often rely on third-party components and libraries, called dependencies.
These may contain vulnerabilities that, if not managed, compromise the security of the entire system.
By using SBOMs, organizations can identify which dependencies exist in their systems and address any vulnerabilities in them.
Common types of vulnerabilities
There are several categories of vulnerabilities that commonly occur:
-
Buffer Overflow: When a program writes more data to a buffer than it can handle, which can lead to execution of malicious code.
-
SQL Injection: Input of malicious SQL code into an application's database queries, which can provide unauthorized access to data.
-
Cross-Site Scripting (XSS): Injection of malicious script code on websites, which can affect users visiting the site.
-
Insecure Deserialization: When an application deserializes data from untrusted sources, which can lead to execution of malicious code.
-
Directory Traversal: Exploitation of vulnerabilities to gain access to files and directories outside the intended directory structure.
See the references below for a more comprehensive list of different types of vulnerabilities compiled by the OWASP organization.
Assessment of vulnerability severity: CVSS and EPSS
To effectively manage vulnerabilities, it is important to be able to assess their severity and likelihood of exploitation.
Two established systems for this are the Common Vulnerability Scoring System (CVSS) and the Exploit Prediction Scoring System (EPSS).
Common Vulnerability Scoring System (CVSS)
CVSS is a standardized framework that provides a score between 0 and 10 based on the vulnerability's characteristics, such as how it can be exploited and its impact on the system's confidentiality, integrity, and availability.
This score helps organizations understand the vulnerability's potential impact and prioritize actions accordingly.
| Severity | Score Range |
|---|---|
| None | 0.0 |
| Low | 0.1–3.9 |
| Medium | 4.0–6.9 |
| High | 7.0–8.9 |
| Critical | 9.0–10.0 |
Exploit Prediction Scoring System (EPSS)
EPSS is a system that uses machine learning and real-time data to predict the likelihood that a vulnerability will be exploited.
EPSS complements CVSS by providing insight into which vulnerabilities are most likely to be exploited in reality, helping to further prioritize actions.
By combining information from both CVSS and EPSS, organizations can get a more comprehensive picture of vulnerabilities' risk profiles and thus streamline their security measures.
Remedying vulnerabilities through patches
When a vulnerability is identified, it is important to quickly implement corrective measures, often in the form of patches or updates, to prevent potential attacks.
Since new vulnerabilities are constantly being discovered, it is crucial to have automated processes to continuously monitor, identify, and address these weaknesses.
By automating this process, organizations can ensure that their systems remain protected against both known and newly discovered threats.
Threats and risks associated with vulnerabilities
A threat is a potential event or actor that can exploit a vulnerability to cause harm to a system or organization. It can be anything from a malicious hacker to malware.
A risk, on the other hand, represents the likelihood that a threat exploits a vulnerability and the potential impact it can have. Risk is assessed by analyzing both the likelihood of exploitation and the consequences of such an event.
By understanding the relationship between vulnerabilities, threats, and risks, organizations can better prioritize their security efforts and resources.
Prioritization and management of vulnerabilities
Managing vulnerabilities effectively requires a structured method for identifying, assessing, and prioritizing them.
By using tools such as SBOMs (Software Bill of Materials), organizations can get a detailed inventory of their software components and their dependencies, facilitating vulnerability management.
Prioritization of vulnerabilities
To ensure that the most critical vulnerabilities are addressed first, it is important to:
- Assess vulnerability severity: Use standardized frameworks such as CVSS (Common Vulnerability Scoring System) to quantify the vulnerability's potential impact.
- Evaluate likelihood of exploitation: Tools such as EPSS (Exploit Prediction Scoring System) help predict the likelihood that a vulnerability will be exploited within a certain timeframe.
- Analyze business impact: Consider how a vulnerability may affect business continuity, especially in systems that handle sensitive information or are business-critical.
Patch Management
Proactive patch management is crucial for reducing the risk of attacks. By regularly updating software components, known vulnerabilities can be addressed before they are exploited.
Automated tools can monitor systems and identify which patches need to be applied, streamlining the process and reducing human error.
Connection between SBOM and specific environments
SBOMs provide a detailed inventory of all components in software, including their versions. By having system support for linking SBOMs to specific environments, organizations can:
- Track components in different systems: Understand exactly which components exist in which environments, such as production or test environments.
- Prioritize actions based on environment: Vulnerabilities in production systems that handle sensitive information should be prioritized higher than those in test systems.
- Simplify compliance and reporting: Have a clear overview of software composition to facilitate audits and ensure compliance with regulations.
The above enables organizations to quickly respond to the critical questions that arise when new vulnerabilities are discovered:
- Are we affected?
- Which systems and environments are affected?
- Do we need to act immediately?
By combining detailed information from SBOMs with a structured patch management process, organizations can not only effectively identify, prioritize, and address vulnerabilities – they also get a clear overview of risk exposure in different environments, strengthening their overall resilience against attacks.
How are vulnerabilities managed and published?
To understand how vulnerabilities are managed and published, it is important to know the different actors and steps in the process.
Below are important terms and how a vulnerability goes from discovery to publication and enrichment.
Important concepts in vulnerability management
-
CVE (Common Vulnerabilities and Exposures): A unique identification system for known vulnerabilities in software and hardware.
Each discovered vulnerability is assigned a CVE identifier, facilitating tracking and management of security issues.
-
CNA (CVE Numbering Authorities): Organizations authorized to identify and assign CVE identifiers to vulnerabilities.
These can be software vendors, research institutions, or other security organizations.
When a vulnerability is discovered, it is reported to a relevant CNA, such as a software vendor or security organization, which reviews the information and, if it meets the criteria, assigns a CVE identifier.
-
NIST's role: The National Institute of Standards and Technology (NIST) is responsible for maintaining the National Vulnerability Database (NVD), a comprehensive database of known vulnerabilities.
After a vulnerability has received a CVE identifier from a CNA, it is published in NVD. Here the vulnerability is enriched with additional information, such as CVSS scores (Common Vulnerability Scoring System), CWE categories (Common Weakness Enumeration), and CPE names (Common Platform Enumeration), helping organizations understand the vulnerability's severity and which systems are affected.
-
Enrichment: After a vulnerability has been published in NVD, it undergoes an enrichment process where additional details are added.
This includes assigning CVSS scores to assess the vulnerability's severity, categorizing the vulnerability with a CWE (Common Weakness Enumeration), and associating relevant CPE names (Common Platform Enumeration) to identify which products are affected.
This process ensures that organizations have all the necessary information to manage the vulnerability effectively.
-
CPE (Common Platform Enumeration): A standardized system for naming and identifying software and hardware products.
By using CPE names, organizations can quickly determine if a specific product is affected by a vulnerability.
It is important that CNAs include correct CPE names when reporting vulnerabilities to facilitate this process.
-
CWE (Common Weakness Enumeration): A system for categorizing and identifying common types of weaknesses in software.
By associating a vulnerability with a specific CWE category, organizations can better understand its nature and take appropriate action.
What does the process look like?
- Discovery and reporting: A security researcher, vendor, or other party identifies a potential vulnerability and reports it to a CNA, such as a software vendor or security organization.
- Review and CVE assignment: The CNA reviews the report and, if the vulnerability meets the criteria, assigns it a CVE identifier.
- Publication in CVE database: When a CVE has been assigned, it is officially published in the CVE database, often without complete metadata.
- Enrichment in NVD: NVD, maintained by NIST, retrieves CVE information and supplements it with additional data such as CVSS scores, CPE names, and CWE categories.
- Availability to security teams: When the vulnerability has been enriched, it becomes more useful for security teams and organizations, making it possible to identify impact and take action.
Challenges and upcoming changes
During 2024, problems arose with the enrichment process in NVD, leading to many vulnerabilities being published without complete metadata, such as CVSS scores and CPE names. This created difficulties for organizations to assess and manage these vulnerabilities.
To improve the process, it has been proposed that CNAs include more detailed information when reporting, including correct CPE names, so that vulnerabilities are published from the beginning with all necessary metadata.
Additionally, discussions are ongoing about introducing new identification systems, such as Package URLs (purl), to complement or in some cases replace CPE and improve accuracy in product identification.
Package URLs (purl) are designed to uniquely identify software packages and can potentially provide more accurate identification than CPE. However, it is important to emphasize that this is not yet an official standard – it is currently only under discussion within the security and development community.