Common Vulnerabilities and Exposures (CVE), Risk or Utility?
Converting a weakness into a strength is not just the work of superheroes. Cybersecurity works every day to achieve that and, who wouldn't want to be sure that their website is completely secure?
Although we, as humanity, have taken a while to realize that working as a community makes us advance faster, it is also true that we have had some very remarkable initiatives, such as MITRE, the corporation that proposed a public list of security vulnerabilities and exposures on 1999: the CVE.
What are Common Vulnerabilities and Exposures?
The interesting thing about the Common Vulnerabilities and Exposures list is that it collects information about vulnerabilities and is fed with reports from users in general, making this information public and free.
Yes, so far it sounds too good to be true, and surely the necessary question at this point is whether making CVEs public would not cause any hacker to misuse that information.
The simplest answer would be "yes," but at the same time, the information is disclosed along with the solution. So in that sense, the idea is to constantly update to keep up with the latest CVE versions, which can be found directly on the MITRE website.
Using cybersecurity tools in your company that are compatible with CVE, reduces risks at a great scale. But it is also important to say that not all vulnerabilities are published on this list because those who stumble upon them, do not always take the time to report them.
That does not mean that they are untraceable, because usually the entities that find them also publish them, but let's say that it makes accessing to them more difficult.
How is the CVE vulnerabilities list updated?
Whenever someone reports a new vulnerability, a protocol is carried out to admit it into the list, so another point to consider is that, although it is constantly updated, the most recent CVEs are not immediately made public.
What is true, is that the wait is worth it because, as mentioned before, they are not published without their respective patch.
In conclusion, the idea of standardizing the way we identify vulnerabilities and exposures seems very useful to me and results in better mitigation strategies. Much more if we reduce the effort by working in community for cybersecurity.
Author: Isaac Luz (Senior Developer)