Friday, May 17, 2013

Known Software Vulnerabilities

The above graph summarizes the number of entries in the Common Vulnerability and Exposures list, organized by year of creation.  This is a list maintained by Mitre (a government funded non-profit research organization), which provides a standard number to all publicly known software vulnerabilities.  Each entry summarizes an individual flaw in some piece of software which could allow a compromise of the security of that software.

This data summarizes a complex process and is somewhat hard to interpret.  Software vulnerabilities are created by software engineers making mistakes when they write software code.  A certain fraction of those mistakes will be "exploitable", meaning that it is possible for a determined attacker to use the logic error to compromise system security.  Many such vulnerabilities are unknown - the original engineer didn't realize the existence of his error, and no-one else has ever discovered it either.  Some vulnerabilities are known internally at the organization that maintains the software, but not known publicly.  Some vulnerabilities become known to some external parties, but not publicly (for example, intelligence agencies have sizeable efforts to discover vulnerabilities for use in espionage, which they do not make public).

A small fraction (probably) of all vulnerabilities become publicly known to the security community, and those generally receive a CVE identifier.  As you can see above, this number was growing for a while, but plateaued in the mid 2000s and has been running around 5000-7000 per year.

Vulnerabilities vary widely in their significance.  Vulnerabilities in widely used software can be (and are) used extensively in cyber-crime and espionage.  Vulnerabilities in critical software could potentially be used to cause crippling cyber-attacks.  Vulnerabilities in rare and unimportant software may not matter much.  The above graph simply counts all of them.


Alan Post said...

One of the smaller software communities I participate in has just this year begun using this service when we discover potentially exploitable bugs.

My sense of this database is that it understates the magnitude of the problem: software is not really the thing that's exploitable, it's the computer system that is: the *running* code.

This database manages vulnerabilities against software, but my guess would be that most significant exploits come in the form of poorly configured and poorly managed computers.

The sort of problem captured by this data is necessary but not sufficient to successfully penetrate a computer system.

Celle said...

Totaly out of context. Sorry.

Alternative energy breakthrough!
Independent report confirms excess energy!

This has the potential to change (or ruin) the world.