As part of our vulnerability research work at NCC Group we find many vulnerabilities (bugs) in commercial products and systems and for the past nine years we have kept a detailed internal log of these bugs.
In this whitepaper prepared by Matt Lewis, Research Director at NCC Group, we provide some analysis of the data that we’ve captured in terms of types of bug found, their risk ratings, whether there are any trends in specific vulnerability classes and whether there are any observations around the overall responsible disclosure process.
The data presented here is captured from daily penetration testing engagements, and encompasses 1108 logged vulnerabilities that were found by consultants in commercial products. While we aim to pull out common themes and observations, we have to be watchful not to over-generalise or over-simplify the data and any patters therein, due to inconsistency of bug type and labelling or inconsistency depending on consultant perspective on the end-result of exploitation of vulnerabilities.
Of the 1108 logged bugs, we see that 41% were assessed as high risk, and 32% as medium. The actual breakdown was:
- Critical: 94
- High 457
- Medium: 355
- Low: 202
Closed issues & time to fix
In reference to the bugs that we have successfully closed (either via the issue being fixed or the risk being explicitly accepted or dismissed by the vendor) we have a total of 289, or 26% of all bugs looged. The average time to fix these was 60 days. The average times to fix across different risk-rated closed issues were:
- Cricital issues: 74 days
- High risk issues: 34 days
- Medium risk issues: 77 days
- Low risk issues: 96 days
Overall, our observations around disclosure and fix timelines have not been flattering from the perspective of pragmatism, let alone urgency.
What of the next nine years:
Looking at the types of vulnerability that our consultants are finding in recent times, we are seeing an increase in the prevalence of:
- Deserialisation flaws
- Server-side request forgery(SSRF)
- Chaining of bugs: Multiple low risk issues exploited in a chain across a large or complex infrastructure which results in full unauthorised ontrol
- Hardware security: as we engage more on embedded systems and IoT we are seeing more hardware-related design and implementation flaws
Conclusions & recommendations
It is a pity that the tech industry has not managed to kill of common bugs, despite them being well known and understood for decades. A lot more investment is required around secure development lifecycles (SDL) and secure software development training.
Also, vendors need to be more aware of the importance of disclosure and have clearly defined processes for handling information. Researchers, in turn, need to improve at maintaining communication with vendors and working towards fixes. To support this internally, NCC Group has created a quarterly and annual bug finding prize. Improvements are needed on the process of obtaining Common Vulnerabilities and Exposures (CVE’s), and vendors should be educated on why CVEs are important.
This work should be revisited in time to see what improvements have been made and perhaps what new classes of vulnerabilities plague the world in the future.
Please find the full blog attached to this page.