Why does China spot security vulnerabilities quicker than the US?
Threat and Vulnerability Management

Why does China spot security vulnerabilities quicker than the US?

In a world of state-sponsored hackers, highly motivated cybercrime gangs and determined hacktivists, mitigating software vulnerabilities is an essential part of the job for IT security teams. Many look to authoritative centralised sources to help manage their risk exposure, like the US government’s National Vulnerability Database (NVD). However, new research has found that bugs appear far quicker in the Chinese equivalent: the CNNVD.

This not only means Chinese firms could theoretically make themselves more resilient to attack quicker than their Western counterparts, but it could actively give hackers a head start on researching exploits that US firms may not yet have caught wind of. Given the huge resources Washington ploughs into offensive cyber-operations, it’s surely not much to ask that it gets more proactive about helping organisations’ vulnerability management efforts.

 

NVD vs CNNVD

Recorded Future analysed 17,940 vulnerabilities between September 2015 and 2017, examining how many days after the initial public disclosure they appeared in the NVD and CNNVD. It found an average delay of 38 days for NVD, versus just 13 days for CNNVD. In fact, the CNNVD captures 90% of all vulnerabilities within 18 days, while the NVD takes 92 – an even bigger gap.

The explanation appears to lie with how the two databases are managed and operate. The NVD is managed by the Security Testing, Validation and Measurement Group of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST). However, it only includes CVEs (vulnerabilities) once they have been published in the CVE Dictionary run by the non-profit MITRE Corporation. MITRE is responsible for managing the entire CVE process, including the selection and management of CVE Numbering Authorities (CNAs). Major software developers like Oracle and Microsoft are CNAs. They typically disclose info about a vulnerability, its potential impact, any affected products and available patches in a security bulletin on their website. However, at this point the process breaks down as they don’t automatically then update the MITRE CVE Dictionary. As Recorded Future explains:

To continue reading...


Please login or register to view your article. If you do not have or do not remember your password, please click on the “Forgotten your password?” link at the bottom.
If you do not yet have a password but are an existing user, please use the “Forgotten your password?

PREVIOUS ARTICLE

«Six extreme data centre locations

NEXT ARTICLE

InfoShot: Which AI has the highest IQ?»
author_image
Phil Muncaster

Phil Muncaster has been writing about technology since joining IT Week as a reporter in 2005. After leaving his post as news editor of online site V3 in 2012, Phil spent over two years covering the Asian tech scene from his base in Hong Kong. Now back in London, he always has one eye on what's happening out East.

  • twt

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Will Kotlin overtake Java as the most popular Android programming language in 2018?