Don't let CVEs distract you: Shift your AppSec team's focus to malware

Chasing vulnerabilities can be a time-consuming and time-wasting pursuit for application security (AppSec) teams. A big part of the problem has been the sheer volume of vulnerabilities being reported in recent years, which increases the chances of invalid reports slipping through the system.

As ReversingLabs noted in its report in 2022, flaws in open-source software are contributing to a sharp rise in reports to the National Vulnerability Database (NVD), but emerging software supply chain attacks warrant a rethink of the NVD — and of the approach of software security teams — to go beyond common software vulnerabilities.

Adding to the challenge: a Common Vulnerabilities and Exposures (CVE) process that can be slow and bureaucratic. Not only does that mean that the machinery can't keep up with the rapidly changing security landscape, but it also encourages researchers to automate their endeavors, leading to an increase in low-quality reports.

Two recent cases highlight the problem with the CVE process: CVE-2020-21469 and CVE-2020-19909 — both marked with 9.8 CVSS scores — were deemed not to be vulnerabilities by the maintainers of the projects targeted by those CVEs.

No one is saying you should abandon CVEs and the NVD — plus, updates and enhancements to vulnerability reporting and scoring will improve the system. However, to properly manage AppSec risk, your team needs to shift its focus to malware and tampering, for example. Top subject matter experts explain why.

Get reports: The Monsters in Your Software Supply Chain NVD Analysis: A Call to Action on Supply Chain Security

The shifting focus of threat actors

Dan Lorenc, founder and CEO of Chainguard, wrote on LinkedIn about the two problematic CVEs, emphasizing that they were only a small representation of a bigger problem with the CVE process. "[These] are part of a larger group — 138 new CVEs all entered the same day, backdated against things found earlier," he wrote.

Someone is clearly scraping old issues and commits to file these in an automated fashion, without ever getting maintainers involved. Yes, CVSS is broken and needs to change. Yes, the NVD data quality is bad and could be improved. But the overall incentives need to change rapidly and we need a higher bar for entries placed against critical projects that will cause the most time to be wasted.

Dan Lorenc

The ReversingLabs NVD report noted that in the context of rising software supply chain attacks, the growth in reports to the NVD suggests that the focus of malicious actors is shifting. And yet the NVD is still dominated by flaws in a handful of legacy platforms by firms such as Microsoft, Red Hat, Google, Apple, and Oracle.

Roger Neal, head of product at AppSec company Apona Security, said the CVE reporting process is fundamental to cybersecurity, offering a standardized method for identifying and cataloging vulnerabilities, but it is failing to keep up with the volume of reports and the pace of software development today.

[It] does have its flaws, mainly due to the sheer volume of vulnerabilities being reported to the NVD database. Additionally, the static nature of the CVSS, which does not account for the actual exploitability of the vulnerability in relation to specific software, can be a limitation.

Roger Neal

Why prioritize malware over vulnerabilities?

Rather than wasting cycles hunting for obscure, non-exploitable or remediated security holes — and checking that box — AppSec teams should focus efforts on exploitability and look for evidence of compromise such as malware and tampering. Here are six reasons for prioritizing searching for malicious software over chasing vulnerabilities:

• Malware is a real threat, while a CVE may or may not pose a threat to a particular organization. Malware actively targeting systems indicates that actual compromise or exploitation has occurred, compared to theoretical vulnerabilities that may never be leveraged.
• Actively looking for malware such as Trojans, viruses, and other malicious software allows for faster incident response to mitigate damage and prevent spreading.
• Malware detection gives actionable intelligence to security teams on what they should specifically look for and defend against on their networks.
• Focusing on malware leverages defenses better because technologies such as antivirus, network monitoring, and host-based defenses are well suited for detecting known malware signatures and behaviors.
• Finding malware shows teams how attackers are operating and the specific techniques they use. It allows security teams to track attackers and align their defenses to real activity.
• Malware hunting can uncover unknown threats and may detect new variants or families not tied to known vulnerabilities.

CVSS 4.0 and EPSS to the rescue?

While acknowledging the importance of ferreting out malicious code, Apona Security’s Neal advocates for a balanced approach to defending organizations from threats, and he highlights new approaches, including the Exploit Prediction Scoring System (EPSS).

Although the CVSS has its limitations, it shouldn't be completely abandoned. Instead, integrating CVSS with a suitable scoring metric like EPSS can provide a more comprehensive understanding of which vulnerabilities are most likely to be exploited.

Roger Neal

A dual approach allows teams to not only address impactful vulnerabilities, but also place equal emphasis on preventing malicious code, thereby enhancing an organization's overall security posture, Neal said. And some of the criticisms of the CVSS have been addressed in the latest version of the standard, version 4.0.

The latest iteration of the CVSS has made significant strides in addressing the challenges associated with the CVE reporting process. This version enhances the granularity and specificity of vulnerability scoring, providing a more accurate depiction of the real-world risk posed by various vulnerabilities.

Roger Neal

Mayuresh Dani, a threat research manager at Qualys, said CVSS v4.0 adds additional sources such as threat intelligence and alleviates environmental metrics for better scoring a vulnerability. It also adds fields such as attack requirements and user interaction metrics under the exploitability metrics, he said.

Using these new and granular metrics, consumers can ascertain the real impact of a vulnerability in their environment.

Mayuresh Dani

See ReversingGlass: EPSS 3.0 + CVSS: Why Prioritizing Software Risk is Key

Can more nuanced scoring make CVSS more relevant?

Callie Guenther, a cyberthreat research senior manager at cybersecurity company Critical Start, said the changes in the latest version of CVSS, which focus on ensuring a comprehensive vulnerability assessment and creating a more nuanced scoring methodology, are causes for hope — but will probably require further refinement.

Guenther said CVSS 4.0 was a "significant leap forward," but she noted that continuous feedback from the cybersecurity community would be critical to its success.

The modular approach in CVSS 4.0, particularly the emphasis on threat intelligence and the introduction of the Supplemental Metric Group, is noteworthy. It might benefit from more extensive testing in real-world scenarios to ascertain its robustness.

Callie Guenther

Bud Broomhead, CEO of IoT cyber-hygiene firm Viakoo, said the new CVSS version adds a new focus on resiliency, which is often overlooked during the initial stages of an exploit, and also is starting to address the Internet of Things (IoT), operational technology (OT) and industrial control systems (ICS) spaces.

This new version of CVSS is — as many standards are — a look in the rearview mirror, catching up to the reality of how IoT/OT/ICS exploits have become one of the fastest-growing attack surfaces. Organizations concerned about their IoT/OT/ICS attack surface need to use CVSS as a base to build on. For example, the impact on the business from IoT/OT/ICS malicious hacks needs to be assessed in addition to CVSS.

Bud Broomhead