A Historical and Statistical Studyof the Software Vulnerability Landscape

TL;DR

This study analyzes the historical and statistical trends of software vulnerabilities using CVSS data from 2005 to 2019, revealing that most vulnerabilities are low-complexity, network-exploitable, and have remained consistent over time.

Contribution

It provides a comprehensive statistical characterization of vulnerability attributes and their evolution, highlighting the dominance of certain vulnerability types and stability in the landscape.

Findings

Most vulnerabilities are exploitable over the network

Vulnerability complexity is generally low

The vulnerability landscape has changed little over time

Abstract

Understanding the landscape of software vulnerabilities is key for developing effective security solutions. Fortunately, the evaluation of vulnerability databases that use a framework for communicating vulnerability attributes and their severity scores, such as the Common Vulnerability Scoring System (CVSS), can help shed light on the nature of publicly published vulnerabilities. In this paper, we characterize the software vulnerability landscape by performing a historical and statistical analysis of CVSS vulnerability metrics over the period of 2005 to 2019 through using data from the National Vulnerability Database. We conduct three studies analyzing the following: the distribution of CVSS scores (both empirical and theoretical), the distribution of CVSS metric values and how vulnerability characteristics change over time, and the relative rankings of the most frequent metric value over time. Our resulting analysis shows that the vulnerability threat landscape has been dominated by only a few vulnerability types and has changed little during the time period of the study. The overwhelming majority of vulnerabilities are exploitable over the network. The complexity to successfully exploit these vulnerabilities is dominantly low; very little authentication to the target victim is necessary for a successful attack. And most of the flaws require very limited interaction with users. However on the positive side, the damage of these vulnerabilities is mostly confined within the security scope of the impacted components. A discussion of lessons that could be learned from this analysis is presented.