The number of reported vulnerabilities of a product is sometimes cited as a measure of its relative security. In this article, we will dispel the notion that the count of Common Vulnerabilities and Exposures (CVEs) is a useful indicator of the security of products. Rather, CVEs simply serve to catalog security vulnerabilities and provide the needed transparency to help enterprises assess and manage risk for their organizations, and higher CVE counts are a sign of the growing maturity of the security ecosystem.
Malicious actors have grown both in number and sophistication, making it even more important to find and fix vulnerabilities that can be used as part of an attack. Fortunately, the security ecosystem and the security research community, which finds and reports vulnerabilities to vendors and open source maintainers so that they can be fixed, have also evolved. The growth in the number of security researchers and their sophistication has led to a steady rise in the number of security vulnerabilities reported to companies.
In many cases, this increase in CVE counts is correlated with the popularity or importance of the product in which the security defects are discovered, as these products attract the most attention for security researchers and malicious actors alike. The count may also reflect the maturity of the industry, open source maintainers, and product vendors in publicly cataloging and disclosing fixed security vulnerabilities so that customers can help to protect themselves by applying security updates in a timely manner. In addition, customers expect greater transparency.
As a result, more vendors are developing or have developed strategies to identify, address, and disclose security vulnerabilities, found externally and internally, through processes usually managed by their Product Security Incident Response Teams (PSIRTs). Simply put, the entire security ecosystem, including its tools and processes, is getting better at identifying and fixing security vulnerabilities. Increases in CVE counts should mostly be seen as positive progress rather than a negative indicator of security posture.
Vulnerabilities disclosed by security researchers through Coordinated Vulnerability Disclosure (CVD) allow vendors and maintainers to address security issues more comprehensively in their products. Coordination allows them to identify root causes and provide fixes that eliminate entire classes of vulnerabilities, rather than just single instances. Coupled with the industry’s adoption of the Secure Development Lifecycle (SDL), these measures help reduce the likelihood of similar vulnerabilities being introduced in future versions of products.
The transparency provided by CVEs also helps customers to manage their IT infrastructure and service risk. The various benefits of this are described at length in international standards (ISO/IEC 29147 (2018), ISO/IEC 30111 (2019)).
Enterprise customers and downstream vendors need to be aware of fixed vulnerabilities so they can deploy effective mitigations when they are publicly available. Providing a higher level of transparency to customers and partners through collaboration with security researchers, coordinators, and downstream vendors allows for increased trust and collaboration to better defend against the security threats of today and tomorrow. Higher CVE counts are a positive sign of a maturing security ecosystem and of the ongoing commitment by vendors and open source maintainers to develop and maintain secure products.
Tip: If you’d like to know more, the Forum of Incident Response and Security Teams (FIRST) created the Product Security Incident Response Team (PSIRT) Framework to help organizations create, maintain, and grow capabilities related to product security and coordinated vulnerability disclosure. This is a collaborative effort that presents different capabilities, services and outcomes of a PSIRT regardless of the size of the organization.
This post was edited on May 11, 2020 to correct the reference to the term CVE. CVE stands for Common Vulnerability and Exposures.