[Owasp-natal] Vulnerabilities, A Decade of Maturation

Noilson Caio caiogore em gmail.com
Segunda Março 26 00:05:06 UTC 2012


Vulnerabilities, A Decade of Maturation

Vulnerabilities are weaknesses in software that enable an attacker to
compromise the integrity, availability, or confidentiality of that software
or the data it processes. Some of the worst vulnerabilities allow attackers
to exploit a compromised computer, causing it to run arbitrary code without
the user’s knowledge.

The past 10 years represent a very interesting timeframe for reviewing
vulnerability disclosures and ensuing changes that continue to affect risk
management in IT organizations around the world. Before examining the
charts and trends, a brief review of the past decade with regard to
industry vulnerabilities is in order.

*A decade of maturation*

In 2002 MITRE presented A Progress Report on the CVE
Initiative<https://cve.mitre.org/docs/docs-2002/prog-rpt_06-02/CVE_FIRST_paper.pdf>(PDF),
which provided an update on a multi-year effort to create a
consistent and common set of vulnerability information—with a particular
focus on unique naming—to enable the industry to easier assess, manage, and
fix vulnerabilities and exposures. The CVE effort and data later formed the
core of the National Institute of Standards (NIST) National Vulnerability
Database <http://nvd.nist.gov/> (NVD), the U.S. government repository of
standards-based vulnerability management data that serves as the primary
vulnerability index for industry vulnerabilities referenced in the *SIR*.

2002 also marked the beginning of a commercial market for vulnerabilities;
iDefense started a vulnerability contributor program that paid finders for
vulnerability information.

In 2003, the U.S. National Infrastructure Advisory Council (NIAC)
commissioned a project “to propose an open and universal vulnerability
scoring system to address and solve these shortcomings, with the ultimate
goal of promoting a common understanding of vulnerabilities and their
impact.” This project resulted in a report recommending the adoption of the
Common Vulnerability and Scoring
System<http://www.first.org/cvss/cvss-dhs-12-02-04.pdf>(PDF) (CVSSv1)
in late 2004. Vulnerability severity (or scoring)
information was a big step forward, because it provided a standard method
for rating vulnerabilities across the industry in a vendor-neutral manner.

2007 brought an update to CVSS, with changes that addressed issues
identified by the practical application of CVSS since its inception.
*SIR*volume 4, which provided data and analysis for the second half of
2007,
included vulnerability trends using both CVSSv1 and CVSSv2, and since then
CVSSv2 ratings have been used. As noted at the time, one practical effect
of the new ratings formulas was that a much higher percentage of
vulnerabilities were rated High or Medium severity.

*Industry-wide vulnerability disclosures*

A *disclosure*, as the term is used in the *SIR*, is the revelation of a
software vulnerability to the public at large. It does not refer to any
type of private disclosure or disclosure to a limited number of people.
Disclosures can come from a variety of sources, including the software
vendor, security software vendors, independent security researchers, and
even malware creators.

Much of the information in this section is compiled from vulnerability
disclosure data that is published in the NVD. It represents all disclosures
that have a CVE (Common Vulnerabilities and Exposures) number.

The past decade has seen drastic growth in new vulnerability disclosures,
which peaked in 2006 and 2007 and then steadily declined over the next four
years to just over 4,000 in 2011, which is still a large number of
vulnerabilities.

Industry-wide vulnerability disclosures since 2002
 [image: Industry-wide vulnerability disclosures since 2002]
<http://www.microsoft.com/security/assets/images/_security/sir_v11/story/10YearHistory/malware_evolution_10year_vulnerabilities.jpg>

*Click on the image to enlarge.*

Vulnerability disclosure trends:

   - Vulnerability disclosures across the industry in 2011 were down 11.8
   percent from 2010.
   - This decline continues an overall trend of moderate declines.
   Vulnerability disclosures have declined a total of 37 percent since their
   peak in 2006.

[image: Top of page] Top of Page

*Vulnerability severity*

The Common Vulnerability Scoring System (CVSS) is a standardized,
platform-independent scoring system for rating IT vulnerabilities. The CVSS
assigns a numeric value between 0 and 10 to vulnerabilities according to
severity, with higher scores representing greater severity. (See the
Vulnerability
Severity<http://www.microsoft.com/security/sir/keyfindings/default.aspx#%21section_2_1_def>page
on the
*SIR* website for more information.)

Relative severity of vulnerabilities disclosed since 2002
 [image: Relative severity of vulnerabilities disclosed since 2002]
<http://www.microsoft.com/security/assets/images/_security/sir_v11/story/10YearHistory/malware_evolution_10year_vulnerabilities2.jpg>

*Click on the image to enlarge.*

Vulnerability severity trends:

   - The overall vulnerability severity trend has been a positive one.
   Medium and High severity vulnerabilities have steadily decreased since
   their high points in 2006 and 2007.
   - Even as fewer vulnerabilities are being disclosed overall, the number
   of Low severity vulnerabilities being disclosed has been relatively flat.
   Low severity vulnerabilities accounted for approximately 8 percent of all
   vulnerabilities disclosed in 2011.

[image: Top of page] Top of Page

*Hardware and software disclosures*

The NVD tracks both hardware and software vulnerabilities. The number of
hardware vulnerabilities disclosed each year remains low, as shown in the
following figure. The peak number was 198 (3.4 percent) hardware
vulnerabilities disclosed in 2009.

Hardware and software vulnerability disclosures since 2002
 [image: Hardware and software vulnerability disclosures since 2002]
<http://www.microsoft.com/security/assets/images/_security/sir_v11/story/10YearHistory/malware_evolution_10year_vulnerabilities3.jpg>

*Click on the image to enlarge.*

Software vulnerabilities consist of vulnerabilities that affect operating
systems, applications, or both. As in many other industries, one vendor’s
product can be another vendor’s component. For example, CVE-2011-1089
affects GNU libc 2.3, which is listed as an application product from GNU.
However, libc is also an integrated component in several operating systems
and is therefore also an operating system vulnerability. For this reason,
it is difficult to draw a distinct line between operating system and
application vulnerabilities. In the following figure, vulnerabilities that
affect both operating systems and applications are shown in red.

Application and operating system vulnerability disclosures since 2002
 [image: Application and operating system vulnerability disclosures since
2002]
<http://www.microsoft.com/security/assets/images/_security/sir_v11/story/10YearHistory/malware_evolution_10year_vulnerabilities4.jpg>

*Click on the image to enlarge.*

In 2010 and 2011, approximately 13 percent of software vulnerabilities
affected both application and operating system products.

[image: Top of page] Top of Page

*Operating system vulnerability disclosures*

To determine the number of vulnerabilities that affect operating systems
(shown in the following figure), vulnerabilities were filtered for affected
products that were designated as operating systems in the NVD.

Operating system vulnerability disclosures since 2002
 [image: Operating system vulnerability disclosures since 2002]
<http://www.microsoft.com/security/assets/images/_security/sir_v11/story/10YearHistory/malware_evolution_10year_vulnerabilities5.jpg>

*Click on the image to enlarge.*

[image: Top of page] Top of Page

*Application vulnerability disclosures*

To determine the number of vulnerabilities that affect applications (shown
in the following figure), vulnerabilities were filtered for affected
products that were designated as applications in the NVD.

Application vulnerability disclosures since 2002
 [image: Application vulnerability disclosures since 2002]
<http://www.microsoft.com/security/assets/images/_security/sir_v11/story/10YearHistory/malware_evolution_10year_vulnerabilities6.jpg>

*Click on the image to enlarge.*

[image: Top of page] Top of Page


-- 
" Eu quero saber como renomear um arquivo " ele diz.
Por favor, é dia de pagamento, não é?! Mas eu estou de bom humor.
" Claro. Basta dar 'rm' e o nome do arquivo "
" Obrigado "

Noilson Caio T. de Araújo
Linux Professional Institute Certification
LPI000182893
Novell Certified Linux Administrator (CLA)
10111916
Novell Data Center Technical Specialist
http://ncaio.ithub.com.br
http://www.commandlinefu.com/commands/by/ncaio
http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20120325/886ea504/attachment.html>


More information about the Owasp-natal mailing list