_
Index |
Vulnerability Ecosystem |
Vulnerability Lifecycle |
Risk Exposure |
Disclosure |
SIP |
Dynamics of (In)security |
News:
Vulnerability Ecosystem
Bookmark Page
.
Vulnerability Ecosystem
Bookmark Page
Vulnerability Ecosystem
From Discovery to Fix
It is an accepted fact that most software written suffers from design and implementation weaknesses. Vulnerabilities are of significant interest when the program containing them is networked or has access to the Internet. Users are exposed to risk when vulnerabilities are discovered, disclosed, and exploited. Software vendors try to match the ever increasing rate of newly discovered security vulnerabilities by providing a fix to have the software patched. Unfortunately, vendors cannot make security fixes available instantly after the discovery of new vulnerabilities or exploits. When a new patch is developed and released by the vendor, users of the software cannot implement it with zero delay.
- The plots above show the number of days of the Discovery, Exploit availability, and Patch availability before/after the public disclosure of the vulnerability.
- x-axis: date of disclosure of vulnerability
- y-axis: number of days of the
discovery,exploitorpatchbefore/after the disclosure.
Vulnerability Ecosystem
The many processes from discovery of a new vulnerability to the implementation of a vendor fix build the Vulnerability Ecosystem.Vulnerability creation
- How is a vulnerability created in first place?
Discovery
- Who discoveres a new vulnerability?
- The Good: Responsible researchers, security organizations, users or the vendor.
- The Bad: Irresponsible users, hackers and organized crime.
- Good or Bad: The Government, depending on how the information is handled.
Exploitation
- The developer of an exploit (for whatever his motivation) needs information of the vulnerability:
- original research on the vulnerability
- purchase of vulnerability information
- from public sources (public vulnerability disclosure)
- reversengineering of software or patch
Public disclosure
- How does the public learn of a new vulnerability?
- gets caught by surprise in form of malware, virus, explot
- from the vendor (might be biased)
- from independent trusted sources
- through the information coming with the releas of patches
- not at all, vulnerability is silently patched by vendor
- not at all, vulnerability is silently used by an organization
Patch development
- Vendor has ahead information from discoverer of vulnerability, collaboration
- Vendor denies a vulnerability ("it's a feature, not a bug")
- Vender is cought by surprise (Zeroday exploit)
Patch implementation
- How long does it take a user to implement a patch