Understanding the weaknesses and vulnerabilities of a system or network is a big step towards correcting these vulnerabilities or putting in place appropriate countermeasures to mitigate the threats against them. Some companies have created databases that classify threats in the public domain.
The Vulnerabilities and Exposures Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known vulnerabilities and security exposures. It is maintained by the MITER organization and supported by the US Department of Homeland Security. MITER is a non-profit American organization whose goal is to work for the public interest. His areas of focus are systems engineering, information technology, business concepts, and business modernization.
According to a new Risk Based Security report, 54% of 2019 vulnerabilities are web-related; 34% have public exploits; 53% can be exploited remotely and 34% of 2019 vulnerabilities have not yet documented solutions.
“34% of the vulnerabilities have no solution; which can be explained by the fact that the suppliers do not make any corrections. This can happen when the researcher has not informed the provider so that they are not aware of the vulnerability;” said Brian Martin, vice president of vulnerability intelligence at Risk Based Security. “In addition, if a company uses vulnerability analysis, it may simply not know all of its assets. For example, if it does not scan its entire IP space or uses a scanner unable to identify 100% of its assets, devices and servers may not be fixed”.
The report also reveals that to date, only five of the leading providers account for 24.1% of the vulnerabilities revealed in mid-2019. Among the vulnerabilities not published by CVE / NVD, 28.2% have a CVSSv2 score between 7 , 0 and 10. At the same time, 8.6% of vulnerabilities with a CVE identifier are in the RESERVED status despite public disclosure.
“A recurring theme in VulnDB reports is that CVE / NVD still does not cover enough vulnerabilities;” adds Martin. “Many organizations, scanning companies, risk platforms and security service providers insist that CVE / NVD vulnerabilities intelligence is pretty good”.