Category Archives: Risk Management

A true chance to make CVE a true community program

Application Security, Government and Regulation, News, Organization, Companies and Institutes, Patching, Risk Management, The Information Security Profession, Thoughts, VulnerabilitiesEitan Caspi

This is something I always say – we have too little global, horizontal, community initiatives in cybersecurity. Lots of private and commercial initiatives, but fewer community ones.

The CVE program, run by MITRE, is running out of funding from the US government.
This event can be a trigger to change this. This is a golden opportunity for a change for good for the industry.

This is a chance to change it to be a global program, not only US controlled, funded by governments from around the world, plus core monetary support from the cybersecurity vendors and services giants who make billions of dollars out of cybersecurity and rely on CVE data.

“U.S. Govt. Funding for MITRE’s CVE Ends April 16, Cybersecurity Community on Alert”
https://thehackernews.com/2025/04/us-govt-funding-for-mitres-cve-ends.html

A thought about the essence of vulnerability

Hacking, Risk Management, Social Engineering, The Information Security Profession, Thoughts, VulnerabilitiesEitan Caspi

 

I would like to offer slightly differently way of thinking about the concept of vulnerability.
Vulnerability, in the context of information security, refers to one or more weaknesses, and following its exploitation, the probability of damaging data or information systems and/or processes.

Vulnerability as a concept, originates from the human life, of human weakness that endangers the body and/or soul/mind, thus increases the risk of injury to the person in question.
Vulnerability is something passive, kind of an existing characteristic, one that a person who has it – will probably wish to strengthen/fix it as soon as possible, to reduce the possibility of damage.

If a “regular” computerized bug hits a calculation or processing of a system, its stability and its performance – the bug is usually realized unintentionally, during the occurrence of certain cases, some originated from a standard human operation of the system and some by an automatic process.

Vulnerability, in my view, is a private case of a bug, but an important one – it would not be a bug nor it will materialize, as many cases of human life, without a malice of a human (except, perhaps, Denial-of-Service actions – which may (barely) be considered as an inability to meet high volume of legitimate operational activities).
Vulnerability is a bug that initiates and realized only when there is a malicious human intent behind it.

Both human and computerized systems can exist for a long time without being damaged when a vulnerability exits within them – if they live in an environment that is not hostile or malicious.
Without a human originated initiative to exploit a vulnerability – we can say that the risk the bug represents does not really exist, because no action was taken to reveal or exploit the vulnerability.

Many times, when thinking of information security, we tend to concentrate on the technology side of it (and therefore also looking for only technological solutions), and ignore/neglect the aspects of human behavior that is essentially inherited in this profession (and also at the parallel occupations of safety and physical security), with whom it is harder for us to deal with, both personally and as an organization – the human malicious intent.

 

(This post is a translation of a post from my Hebrew information security blog, from 10-May-2008)