Vulnerabilities on the decline, but risk assessment is often flawed, study says says

The number of vulnerabilities could reach a three-year low in 2014, but correctly assessing their risk can be hard, IBM researchers said

Based on data gathered over the first six months of 2014, security researchers from IBM X-Force predict that the number of publicly reported vulnerabilities will drop to under 8,000 this year, a first since 2011.

While the majority of flaws disclosed so far fall into the medium-risk category, the IBM researchers said that the widely used system to rate their severity often fails to reflect the real risk they pose to users.

Over the first half of the year, the IBM X-Force team collected reports about 3,900 security vulnerabilities from advisories published by software vendors, security industry mailing lists and other sources. If vulnerability disclosures continue at the same rate, the number of flaws reported in 2014 will fall under 8,000, several hundred less than in each of the previous two years, the team said in a report released this week.

"It is difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014," the X-Force researchers said. "However, it is interesting to note that the total number of vendors disclosing vulnerabilities has decreased year over year (1,602 vendors in 2013, compared to 926 vendors in 2014)."

Security experts have argued in the past that overall number of vulnerabilities is not as relevant for as their impact. However, despite attempts to standardize methods of assessing the severity of vulnerabilities, like the Common Vulnerability Scoring System (CVSS), there are many cases where the true risk posed by certain flaws is not represented accurately.

"Many in the industry, including security analysts, corporate incident response teams and enterprise software consumers, have become dissatisfied with scoring inconsistencies that often occur across different organizations," the X-Force researchers said. "Sometimes the inconsistencies are the result of the subjectivity that can go into how an individual or organization scores vulnerabilities, but they can also result from some of the inherent flaws in the current CVSS standard and a lack of clear guidelines on how to objectively assess certain types of vulnerabilities."

One prime example is the Heartbleed flaw disclosed in the OpenSSL library in early April that can be exploited by attackers to extract sensitive information from the memory of Web servers. The vulnerability received a CVSS base score of 5.0 out of 10, which puts it into the medium-risk category.

"With the number of products impacted, the time and attention IT teams spent patching systems and responding to customer inquiries, as well as the potential sensitivity of data exposed, the true impact of the Heartbleed vulnerability was greater than the CVSS base score would indicate," the X-Force researchers said. "This also brings to question what other vulnerabilities fell into the medium-risk category (CVSS base score 4.0 to 6.9) that may have been disregarded by organizations, but that also had potential large-scale impacts similar to Heartbleed."

Sixty-seven percent of vulnerabilities disclosed during the first half of 2014 fell into the medium-risk level based on their assigned CVSS scores, according to the IBM report. This is similar to numbers seen in the previous two years.

In 2013, Carsten Eiram, the chief research officer at Risk Based Security, and Brian Martin from the Open Security Foundation, two researchers experienced in maintaining vulnerability databases wrote an open letter detailing CVSS shortcomings to the Forum for Incident Response and Security Teams (FIRST), the organization that maintains the standard.

"While CVSSv2 saw improvements over CVSSv1, the scheme is still not adequately supporting real life usage, as it suffers from being too theoretical in certain aspects," Eiram and Martin wrote in their letter. "Specific vulnerability types and vectors are not properly supported while others are not properly described, leading to subjective and inconsistent scoring, which CVSS was designed to prevent."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesForum for Incident Response and Security TeamsOpen Security FoundationsecurityIBMRisk Based Securitypatch managementExploits / vulnerabilities

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?