CVE Crisis: The State Of The Vulnerability Disclosure Landscape

Is that better? Yeah. >> All right. There. Now you can hear what I say. Sorry. I won't start over, though. Um, and we'll go through navigating some strategies on how you can work in your company to make this a better situation for all. So in the US we have some political issues going on as everybody knows. Uh we won't dive deep into those but the CE has what some people are calling a funding crisis. Uh is really just a deduction of CISA's budget from $4 billion a year to $3 billion a year uh by a guy named Elon Musk. I think you might have heard of. just kind of decided everything could run for 25%

cheaper and and kind of living the living that in the US and our government right now. So part of that was they didn't renew a contract through a organization called MITER which runs the CVE program. It's about $15 million a year. So 15% of a billion isn't a lot. So somebody took the couch and found the $15 million and gave it to Miter and they continued the CVE program with no with no issues. So they called that the the that problem. The other problem is the NV backlogs. We'll get into this a little bit later. Uh the National Vulnerability Database is a federal organization meant to enrich data for US federal government agencies. But 95% of

people in the world who use CE data gets it from the NVD. Uh and as a government agency, they are slow, bureaucratic, and they had hit a tipping point on what they can actually get done. Uh it turns out they could analyze and keep up with about 80 CVES a day. Uh last year uh last year we were at 125 CVS published a day and now we're at about 130 CVE published per day. So they're they're just falling behind. And the last thing is the volume explosion which I just talked about. We are seeing massive growth in CVES reported by many companies.

That doesn't work.

So, as I talk about the CVE program is the foundation everybody relies on to get their data. I was in Cambridge and they were talking about what's going to happen next. There are a couple of different things that could happen next. One is bifurcation. Uh the EU would maybe start they they've started the EU vulnerability database. It's called EVD. Um right now they have Py promised to only publish CVEEs in the EUVD. So basically it's just a backup of the CVE database right now. Uh but pinky promises don't work when you have the politics that are going on in America. So anytime they could they could start publishing their own vulnerabilities. Russia has a very big database of

vulnerabilities uh that is super interesting to look at. It's all public data though so they're not putting anything super super secreted in there. They have exploit data in their CVE database. So if that's something that you're interested in and you have a good translator or know a little bit of Russian, you can go and look at their database and see, oh, this CVE is attached to this vulnerability sometimes with proof of concept code in the in the database. So it's a really an interesting place to dig into and look.

So I already talked about the funding crisis. Um, it's it's just getting worse and worse, especially on the NVD side. I put this slide here so I can come back and talk about about NVD and the cascading effects is ND refuses to use AI for good reason. Uh, they've ran a bunch of tests and the best they can get is 90% accuracy. Uh, I run an AI team. 90% accuracy is the gold standard for an AI model. They're like, "Oh, yeah, that's good." 90% accuracy for vulnerability data that's being published to the internet is terrible. So, we have a mismatch in what AI can do at the time and what we need the data to

be. And there's no easy way to pick out the 10% that are wrong. Sometimes it's very small, so you end up having to go back and check everything the AI model produced. Anyway, and scaling it with a team human in the loop is not possible due to government hiring regulations and the need for those people to be in offices and seats in Maryland making Maryland wages, which is about $180,000 a year per analyst for CVEes. And believe it or not, not many people want to spend their whole lives giving CVSS scores to to vulnerabilities. Uh, and when you know that 45% of all vulnerabilities are WordPress vulnerabilities, that job gets even less and less attractive.

So I thought the MVD has a backlog now. Uh over 25,000 CVE of this as out of this morning have not been looked at by the NVD. Uh 120 days is about what it's taking for anything that's not published by Microsoft, Apple, Cisco, HP or Fordinet to get analyzed. CIA did step in and give them a list and say here are the v here are the vendors that you have to prioritize CVE for uh you will notice that none of those companies that I mentioned are open source uh if a company uses open source those are not getting analyzed or prioritized and in a backwards way while they're looking at CVE from Microsoft Cisco H

etc they're not looking at the open- source tools that they use in there. So, we're getting a backlog of published data that's out and not actionable on average users place. So, we're creating we're opening the windows for attackers in a way that we've not seen in the last 20 years. Uh because they have access to hey, we know there's a vulnerability here, but hasn't been CVSS scored. So, your average company doesn't know how to prioritize it and patch it. So, it's really opened the window windows for red team and bad guys in general. CISA has stepped in uh to try to fill void. They released a one-page paper last week called the CVE quality error.

I would I was a co-author of that. I help them sit down and talk about moving from the era of just era of just trying to have as many CVE published as possible to really making sure that CNAs who publish CVE is providing all the data that people need. It's going to be a long hard fight. Uh there are tons of politics and nastiness and stuff that that shouldn't be involved in this program, but it is. Uh if you want to know about it, you can catch me at lunch or you can just look up CV Foundation and CISA and there are plenty of stories about how those two groups don't really like each other and are not seeing eye

to eye.

So here's what this means for the average security professional that really want to talk about. There are three things. First, we have the increased workload. Um, if you work at a company who isn't a billion-dollar company and can't buy every feed. You're having to do a lot of handheld vulnerability management and look up and research by yourself these days. That means you have to know what your stack is. You have to run it. You have to go read every CVE description and figure out is it there or not. um really for the last 20 years have let the US government build and maintain the vulnerability infrastructure and really take a lot of weight off of individual

researchers and other companies to actually do the hard work of looking into vulnerabilities and seeing what's there see if it affects us and NVD has basically given up and said that they're not going to do that so that leaves people you know two options basically and we'll get to those. Um, we have new players that are entering the galaxy to keep with the space theme of this uh conference. Ana, as we've talked about, is probably the biggest one that is coming onto the stage uh that you guys know about. I'm sorry. where I look, I don't see the UK launching a a similar organization. Uh if they are, I'd be interested to hear about it and work

with them. Right now, it's Ana and it's going to be CISA kind of running both vulnerability management spears for Europe and North America. Um they have a bunch of great conferences. So if you're looking for really key conferences, I would go to the Nissa website. Uh they have galong workshops, some are virtual. uh they're really really great if you want to talk to people at the policy maker level and above. Uh the alternative database constellation. So there are two databases that are free that if you're in vulnerability management you know about. One of them is ran by Google. It is oss.dev. Um it is osv.dev dev is probably the biggest uh collection of open source

vulnerability data in the world is very intense. It has commit numbers and stuff. So like if you're in the open door space, that's a place to be. GitHub advisory is a is a secondary sort that most people are using. GitHub advisories are for software hosted on GitHub. So if you have software on GitHub and it's has a bug in it, you can get a CVE for that bug today and the GitHub security u advisory page today. So it's growing fairly large. Um it's something to look at. Also [snorts] uh if you're the nationals uh they are very great about having data that you can access. Normally you have to be a member of of a community. Uh

getting read into those are hard. There are also cyst for if you're you know in oil and gas etc. You can join in get privilege information there. The one I really want to talk about is the commercial services. This is where I have some issues. We have a we're we're building a poverty line in vulnerability management for most people that that I really don't like. Um there are three or four companies who are worth hundreds of millions of dollars who make the core of their money by taking vulnerability data from the NVD from CVE program enriching it enriching it and selling it to organizations that can afford it. I I like capitalism. Money is great. I'm not

against that. But what that does is it means if you're in an organization who can shell out 50 or 60 or $70,000 a year to get a fee of vulnerability data, you are able to protect your network much better than people who are only allowed only able to look at public data. If you're a university, high school, just a normal a normal company with maybe one or two security people, one security person, you're not going to be able to spend that money to get those data. So I I never tell people to go get a commercial vulnerability feed. I really really want to work as hard as I can to open source this data. So if you go look

at rogolabs.net, it's my open source lab where I try to to push all this data out. I have some programs there and some projects there I'd like you guys to look at. If you have any questions about them or any suggestions, please let me know. Did that one. So, we are in a fragmented universe and this is kind of the before talk. I hope to come back next year and give you guys a much cleaner and better view of where the CV program is and what it's at. But right now it's it's in a place where it's not in good shape for the average person and for the average organization and we need everybody's voice to kind of jump in and

help. Uh if you use vulnerability data on a regular basis, there's a consumer working group that was just started uh by the CVE board that we'd like for you guys to join. Um, if there if you use data in your job in automated way, the automated working group has just moved to having their meetings at a Europe friendly time, which is a not a Jerry friendly time. That means I have to get up at 6:00 a.m. to have meetings, but I've worked with Europe long enough to know that that your guys' opinion is super important. So if you'd like to be part of the automated working group, uh I can send you the link to that and we'd

love for you to join and talk about how getting data, accessing data, and using data is important for your programs, both vulnerability management and commercial programs.

So, let's just talk about orization and the new error before we before we move on. Um, you're going to have to really think about how you patch vulnerabilities moving forward and in a good way. Microsoft released a program, was it two months ago, three months ago, that said 90 plus% of all Windows 11 machines are on automatic patching and close to 75% of their servers are the same. So when I first started, my biggest job was to go patch Windows machines and Windows servers. I would get up at, you know, 2:00 a.m. on a Saturday, go in, drive into a to a knock network operations center and sit there and reboot servers for six or seven hours over a Saturday.

Um, luckily nobody has to do that anymore. Um, Microsoft has fixed that problem. So, what I like to talk to people about vulnerability management problems is to stop thinking about, oh, is everything patched? and start thinking about what is the hardest thing to patch on my network. Is it the Java 8 application? Is it the IoT stuff that I have? The stuff that's going to take 2 or 3 months going to take planning going to take time to sit down and come up with a plan and a roll back plan to start patching cuz that's where you're going to get hacked. um we are at a place where where if you look for those hard vulnerabilities and patch

those, you're going to make your network much much safer and you have to have to worry less about the automated patching that's coming out of both Microsoft and Apple.

So the the next thing I'd like to talk about is building a data aggregation platform. I have a script on GitHub that I'm happy to share with you guys. It's an ELK script. It stands up a front end and it brings in data from the 3D CVE program and the PSS program daily and allows you to have all this data in in one spot. It's thought of a CT. It's the start of a CTI program and it's free. I'm happy to talk to you guys about after that. Uh be correlation engine. This is where I can't help you. Um automation is a super important part. You need to be able to hook your CVE data and your scan data into your CDM uh

so that you know what's on your network and can start to understand what's there so you can start looking for the software. If if you're from a company that develops software, you really need to take time and understand which stack is and what libraries and data are used in those stacks. It's something that's easily overlooked and your library is 90% of the time where you're going to end up being being vulnerable at. Uh I like to joke with people. Most people didn't know what log 4j was before the log forj vulnerability and then next you know 40 hours people had to become log forj experts uh and most of the time I I think over

half or more than half of all installations of log forj weren't vulnerable so nothing needed to be done but it just showed that they didn't know that they had that that library in their application what it was doing how it was being used. So those 48 hours after that came out, people were becoming Java experts overnight say, "Okay, we're not using this in this way, so we're safe." Oh, we are. We need to update. The thing is that if you believe the statistics, the average application built by a small to midcore has 500 libraries in there when you go to dependencies. So what's the next log forj? Do you understand it? Do you have a dependency map for your

application? Can you say here's all the tools that we use that aren't written by us that we have to monitor and make sure the next time there's a vulnerability for we we can can look at it.

So I think that in the future we're going to move in three ways. We're going to reform the current CV program. I hope that gets done in the next 6 to 18 months. AI will catch up and will be able to both analyze CVES in your environment and fulfill the CV data that needs to be completed. So we could get rid of the backlog. I see that in the next two years. And then three, there's going to be a federated model before long. Um the US shouldn't run the CVE program for the world. I've seen stuff ran by the UN, so I'm not going to say that the UN should run the CVE program. Um, I I think that it's

probably going to have to be a federated group outside of of the UN and maybe outside of government that is ran by major companies, major organizations and major contributors to to see this into the next 25 years. The CVE programs

So key takeaways from our mission is embrace the multi-source. If you're not getting your vulnerability data from more than one source, you need to. Nobody is trustworthy 100% of your own. Context beats convenience. We have to know what's on your network. Where is it running? what versions you're running to make sure that you can can move forward and have a secure network overall. And three, be prepar be prepared for this to change and come back next year and this could be a completely different talk because you know CIA has been put out because Donald Trump woke up in a bad mood one day, right? Like so you you never know with the US now things are

happening over there that I never thought would happen. So I am not willing to say that that [clears throat] the future is one way or the other. I'm hopeful that everything stabilizes and that the CV program is well ran for many more years to come. But I would start having at least in the back of your mind what your what's your backup plan if CVE.org went offline for an extended period of time. And with that, safe travel space pioneers. Um, does anybody have any questions? >> Yes. >> You talk about potentially Oh, you're supposed to. >> Oh, hello. So, you talk about potentially an independent group managing um CVS going forward. Has anybody ever considered the

fact that I would imagine part of this challenge with more CVES comes from people trying to promote their code more quickly, maybe not taking as much care or testing? So potentially finding people who create the CVE and using that to run it. >> Well, you have to that that's an interesting question. I'll first start out by saying that about 40% of all CVEs are on WordPress plugins. Oh >> and 40% of all word most WordPress plugins are open source software. If you criminalize open source software that that that doesn't work also there are not a lot of CVE in you know when you start talking about data sets there are less than 300,000 and I thought the data scientists tell

them that the data I work with is only 300,000 records. They're like I that in an hour hour and a half off some of my sensors. So it's it's not a big data set that that we're working with. It's the need to hand check most of it that that that's causing that's causing the issues. >> Anything else? >> No, that is it. Thank you. >> I am going to I am >> So what you're saying is what we need is MIT to sort it out and somebody to fund it realistically and go back to the way it was. But the problem is that the American government isn't going to pay the bill. No, I think the American government will

pay the bill. I I think that Nissa and other corporations don't want to depend it on the United States government to pay the bill anymore. Um because they don't think the program is well ran. I will record it so I will be polite here. Um the the CE program is 25 years old. Uh it's still a Java based program and they're now putting all their data into a GitHub repository. There's no public API. Um getting things changed is super hard. The board has mandated that there are only three fields necessary to publish a CVE record. The description, the affected product, and a CVE ID. um and they're not willing to change that because they want to make it easy to

publish CVS. So there are a lot of deep structural problems with the CDE program that comes from every level. the funding from the government, the way migrants developed and ran the program and the way board manages the the rules of the program have kind of come to a perfect storm here in the last 8 to 10 12 months that really need to be addressed before someone like stands up and says okay the CVE program isn't savable we're going to move everything to the European vulnerability database and we're going to have some rules going to be modern pattern and it's going to have an API and then I don't know Brazil says the same thing and Mexico says the

same thing and Canada says the same thing and then we have you know 47 different vulnerability databases that your company is now responsible to report to if you sell software there right so that that's that's the tug and pull right people don't like the CV program they like to see different, but when push comes to shove, they're like, "Oh, let's say with the CD program before I have to go and report this vulnerability to every government independently, [clears throat] and it's a really hard place for people to be. >> So, change from within is probably the best option generally or some coordination role." >> Yeah, I mean, I think that there needs to be a big fundamental change in in the

CDE program and I hope that that's what's coming. Thank you. >> Anybody else? If not, thank you guys very very much for your time. Uh and enjoy lunch.