How to manage the rising tide of CVEs

Software defects across MOVEit file-transfer services, Log4Shell and Citrix Bleed are among the highest-profile vulnerabilities that have been exploited in recent years, but they represent just a sliver of the total CVEs causing widespread damage.

The volume of CVEs is steadily increasing each year — SecurityScorecard recorded 29,000 vulnerabilities in 2023 and already this year it tracked nearly 27,500 vulnerabilities.

That number is expected to hit 34,888 in 2024, a 25% increase, according to Coalition’s 2024 Cyber Threat Index report. It underscores the challenge for organizations to continuously manage vulnerabilities and strengthen defenses against potential exploits.

While three-quarters of organizations employ a formal program to manage vulnerabilities, many are struggling with a backlog they cannot fix and a growing number that need vendors or the open-source community to remediate, according to the SANS 2022 Vulnerability Management Survey.

Organizations need effective CVE management to mitigate the risks posed by these vulnerabilities, but many struggle with the complexity of identifying and prioritizing the most critical threats amid a constant influx of new vulnerabilities.

“The sheer number of CVEs makes it difficult to keep track of all potential vulnerabilities,” said Amit Bismut, head of product at Backslash Security.

With many vulnerabilities deemed critical, the challenge is deciphering which ones pose the biggest risk. One way is to understand if the CVE can potentially be exploited in your specific environment, Bismut said.

Organizations need to prioritize vulnerabilities that represent a specific risk to the environment and direct resources so that the most dangerous vulnerabilities are mitigated promptly.

“Context helps security teams focus on vulnerabilities with the most significant threat to their unique setup, rather than trying to address every single issue,” he said.

How CVE identifiers help vulnerability ranking

Using the CVE number, which is a common identifier, security teams can rank vulnerabilities according to a range of data sources and use vulnerability scanners or intrusion detection systems to find them.

It wasn’t always this way. Before CVEs identification was formalized, security teams had to piece together vulnerability information, according to TK Keanini, CTO of DNSFilter and founding member of the CVE program.

The CVE program, now in its 25th year, has become foundational to many other security standards including the International Organization for Standardization, the payment card industry and the Healthcare Information Trust Alliance security framework.

It’s used in compliance, risk management and cybersecurity protocols, providing a standardized method for identifying and referencing specific vulnerabilities with a common identifier used by security teams everywhere.

“By incorporating all of these different perspectives, it creates a better, more actionable and more accurate workflow,” said Keanini.

With the rising tide of vulnerabilities, it’s not feasible to tackle every risk. Ranking means every CVE has a risk weight, critical to prioritizing patching and vulnerability management, especially as the scope of CVEs is only growing.

Every new line of code that’s introduced provides new opportunities for more CVEs, noted Keanini.

“We're not counting a static space. That’s why the scoring’s important to stack rank and know which ones are on your network,” he said.

Tackling CVEs with a strategic business lens

While the headline number of CVEs is going up, there’s more to it than that, given that a single CVE number can often refer to more than a single piece of code.

“One CVE might affect multiple different versions of software or packages of software, especially if that CVE is embedded in very pervasive code,” said Dustin Kirkland, VP of engineering at Chainguard.

When a vulnerability is discovered, it is enriched with additional information, although this doesn’t automatically mean it will lead to an attack as a vulnerability may be a proof of concept or a theoretical problem.

“Not every CVE comes with either a fix or even a proof of concept that shows it’s a real problem that could be exploited in the wild,” Kirkland said.

If it warrants it, a fix is issued or the weakness declared so that security teams and scanning tools are aware of it.

The scoring system helps ensure that the most real, egregious vulnerabilities get a higher priority than the lowest ones, which could be considered just nice to fix.

While the usual practice is responsible disclosure so that it can be identified, some CVEs are sold on the dark web by hackers and cybercriminals.

“There's certainly an underground market for zero-day [vulnerabilities] and for undisclosed vulnerabilities, where they’re bought and sold on an underground market by some shady organizations,” he said.

In neutralizing CVEs, scanning tools are vital, yet it’s not simply a process of turning a vulnerability dashboard flashing red to green when consulted on a periodic basis.

While vulnerability management is largely driven by adherence to some compliance framework, security chiefs don’t usually have a singular goal of eliminating CVEs.

“It’s usually tied to a business objective,” said Kirkland.