Specific Criticism of CVSS4
Marc Ruef
The debate if and how open source can affect the security of a product has been going on for a while. There are, theoretically speaking, three main points that can be made:
Generally, it can be said that all three assumptions can be correct. The statement is dependent on the standpoint and the properties of it, though. The statements can be summarized as follows:
Let’s assume that a system has a certain number of Total Vulnerabilities. This number can be greater or smaller than the Total Vulnerabilities Undiscovered. This number, in turn, can be greater than or equal to the number of Vulnerabilities Discovered. And this number can also be greater than or equal to the number of Vulnerabilities Public:
Total Vulnerabilities ≥ Vulnerabilities Undiscovered ≥ Vulnerabilities Discovered ≥ Vulnerabilities Public
The sequence of this comparison determines the danger emanating from a vulnerability. The more public a vulnerability is, the more likely it is to be mitigated. This is basically a good thing for both the manufacturer and the customer.
Some publications assume that the number of Vulnerabilities Discovered or Vulnerabilities Public is a direct indicator of the security of a system (and by that also a statement regarding Total Vulnerabilities). This is, as shown in the comparison, not necessarily the case. Only the data of the past could potentially _show a possible trend_.
A high number of publicized vulnerabilities in this case isn’t necessarily an indicator of the lacking quality of a product. They are also an indicator of the rise in security a product has, if the vulnerabilities are being fixed. Good examples of this are the Microsoft products IIS and Internet Explorer. Both solutions have been criticized over the years due to their high number of gaps in security and patches. The current statistical comparison (see also) with competing products shows that the level of security of these products is now above the average across the board. This proves that even the data of the past is not a certain indicator of security.
As evidenced above, open and closed source systems have distinct advantages. The question now arises which model should be preferred when it comes to high security environments.
A closed source solution can be recommended if a short-term advantage – and only a short-term advantage! – is to be met. If the solution can be tested by internal specialists, the solution can lead to head start (which can be assumed of the changes to DES by the NSA). The attackers will in the long run be able to catch up and transform the advantage of the closed source system into a disadvantage (as evidenced by the encryption called A5 used in GSM).
In the long run, open source systems should be preferred over closed source ones. By actively engaging in collaboration with a community – especially in combination with internal specialists -, vulnerabilities can be discovered and eliminated much quicker. The goal should be to, at some point and as quickly as possible, reach the state of a system that is as secure as possible and in which there are no highly critical and unknown weaknesses left.
Our experts will get in contact with you!
Marc Ruef
Marc Ruef
Marc Ruef
Marc Ruef
Our experts will get in contact with you!