Skip to content

Vulnerability Landscape

Overview

A plot of CVE counts per year helps us understand why we need to be able to effectively prioritize CVEs (by Risk).

To do that we need to understand the building blocks we have to work with.

This section gives

  1. an overview of how the main relevant vulnerability standards fit together
    1. for recording and ranking vulnerabilities and their exploitation status or likelihood
    2. the characteristics of vulnerabilities
  2. a timeline
    1. with the count, and cumulative count, of CVEs over time (based on the Published date of each CVE)
    2. when different standards were released

πŸ§‘β€πŸ’» Source Code

Timeline

Count of CVEs published per year

CVEs published per year (cumulative), with publication dates of standards

Vulnerability Standards

Vulnerability Landscape Main Efforts

Key Risk Factor Standards

Quote

β€œCWE is the root mistake, which can lead to a vulnerability (tracked by CVE in some cases when known), which can be exploited by an attacker (using techniques covered by CAPEC)”, which can lead to a Technical Impact (or consequence), which can result in a Business Impact

  • β€œCWE focuses on a type of mistake that, in conditions where exploits will succeed, could contribute to the introduction of vulnerabilities within that product.”

  • β€œA vulnerability is an occurrence of one or more weaknesses within a product, in which the weakness can be used by a party to cause the product to modify or access unintended data, interrupt proper execution, or perform actions that were not specifically granted to the party who uses the weakness.” https://cwe.mitre.org/documents/cwe_usage/guidance.html

From weakness to Impact

CVE - CWE - Technical Impact

  1. A CVE may have zero or more CWEs associated with it e.g. Log4Shell CVE-2021-44228 has 4 CWEs
  2. A CWE may have zero or more Common Consequences/Technical Impacts associated with it e.g. Log4Shell CWE-917 has 2.
  3. A CWE may be associated with zero or more CVEs.

To understand MITRE CAPEC vs MITRE ATT&CK, see https://capec.mitre.org/about/attack_comparison.html.

Quote

β€œNVD is using CWE as a classification mechanism that differentiates CVEs by the type of vulnerability they represent.”

β€œThe NVD makes use of a subset of the entire CWE List, which is enumerated by the CWE-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities) view. NVD analysts will associate the most specific CWE value within the CWE-1003 view based on the publicly available information at the time of analysis.” https://nvd.nist.gov/vuln/cvmap/How-We-Assess-Acceptance-Levels, https://nvd.nist.gov/vuln/categories

Takeaways

  1. The count of published CVEs per year is increasing at a very significant rate.
  2. Organizations need an effective prioritization method to know what to remediate first.
  3. CISA KEV is a source of vulnerabilities that have been exploited in the wild. EPSS gives the probability a vulnerability will be exploited in the wild (in the next 30 days).
  4. CISA SSVC is an alternative to CVSS.
  5. β€œCWE is the root mistake, which can lead to a vulnerability (tracked by CVE in some cases when known), which can be exploited by an attacker (using techniques covered by CAPEC)”, which can lead to a Technical Impact (or consequence), which can result in a Business Impact
  6. NVD uses CWE-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities)
  7. A CVE may have zero or more CWEs associated with it e.g. Log4Shell has 4 CWEs
  8. A CWE may have zero or more Common Consequences/Technical Impacts associated with it e.g. Log4Shell CWE-917 has 2.
  9. A CWE may be associated with zero or more CVEs e.g. CWE-917 is associated with CVE-2023-22665, CVE-2023-41331, CVE-2023-41331, and many other CVEs.