Vulnerability (computing)

(Redirected from Vulnerability disclosure)

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

Vulnerability management is a cyclical practice that varies in theory but contains common processes which include: discover all assets, prioritize assets, assess or perform a complete vulnerability scan, report on results, remediate vulnerabilities, verify remediation - repeat. This practice generally refers to software vulnerabilities in computing systems.[1] Agile vulnerability management refers to preventing attacks by identifying all vulnerabilities as quickly as possible.[2]

A security risk is often incorrectly classified as a vulnerability. The use of vulnerability with the same meaning of risk can lead to confusion. The risk is the potential of a significant impact resulting from the exploit of a vulnerability. Then there are vulnerabilities without risk: for example when the affected asset has no value. A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability—a vulnerability for which an exploit exists. The window of vulnerability is the time from when the security hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or the attacker was disabled—see zero-day attack.

Security bug (security defect) is a narrower concept. There are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.

Constructs in programming languages that are difficult to use properly can manifest large numbers of vulnerabilities.

Wiki EnglishWiki JapaneseWiki Deutsch Definitions. doi:10.1145/3357767.3357774. ISBN 978-1-4503-7669-3. S2CID 202676146.
  • ^ a b ISO/IEC, "Information technology -- Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008
  • ^ British Standard Institute, Information technology -- Security techniques -- Management of the information and communications technology security -- Part 1: Concepts and models for information and communications technology security management BS ISO/IEC 13335-1-2004
  • ^ a b Internet Engineering Task Force RFC 4949 Internet Security Glossary, Version 2
  • ^ "CNSS Instruction No. 4009" (PDF). 26 April 2010. Archived from the original (PDF) on 2013-06-28.
  • ^ "FISMApedia". fismapedia.org.
  • ^ "Term:Vulnerability". fismapedia.org.
  • ^ NIST SP 800-30 Risk Management Guide for Information Technology Systems
  • ^ "Glossary". europa.eu.
  • ^ Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
  • ^ a b "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006 Archived 2014-11-18 at the Wayback Machine;
  • ^ Matt Bishop and Dave Bailey. A Critical Analysis of Vulnerability Taxonomies. Technical Report CSE-96-11, Department of Computer Science at the University of California at Davis, September 1996
  • ^ Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)
  • ^ NIATEC Glossary
  • ^ ISACA THE RISK IT FRAMEWORK (registration required) Archived July 5, 2010, at the Wayback Machine
  • ^ a b Wright, Joe; Harmening, Jim (2009). "15". In Vacca, John (ed.). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 257. ISBN 978-0-12-374354-1.
  • ^ a b c d e Kakareka, Almantas (2009). "23". In Vacca, John (ed.). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 393. ISBN 978-0-12-374354-1.
  • ^ Krsul, Ivan (April 15, 1997). Technical Report CSD-TR-97-026. The COAST Laboratory Department of Computer Sciences, Purdue University. CiteSeerX 10.1.1.26.5435.
  • ^ Pauli, Darren (16 January 2017). "Just give up: 123456 is still the world's most popular password". The Register. Retrieved 2017-01-17.
  • ^ "The Six Dumbest Ideas in Computer Security". ranum.com.
  • ^ "The Web Application Security Consortium / Web Application Security Statistics". webappsec.org.
  • ^ Ross Anderson. Why Cryptosystems Fail. Technical report, University Computer Laboratory, Cam-bridge, January 1994.
  • ^ Neil Schlager. When Technology Fails: Significant Technological Disasters, Accidents, and Failures ofthe Twentieth Century. Gale Research Inc., 1994.
  • ^ Hacking: The Art of Exploitation Second Edition
  • ^ Kiountouzis, E. A.; Kokolakis, S. A. (31 May 1996). Information systems security: facing the information society of the 21st century. London: Chapman & Hall, Ltd. ISBN 0-412-78120-4.
  • ^ a b Rasmussen, Jeremy (February 12, 2018). "Best Practices for Cybersecurity: Stay Cyber SMART". Tech Decisions. Retrieved September 18, 2020.
  • ^ "What is a vulnerability? - Knowledgebase - ICTEA". www.ictea.com. Retrieved 2021-04-03.
  • ^ Bavisi, Sanjay (2009). "22". In Vacca, John (ed.). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 375. ISBN 978-0-12-374354-1.
  • ^ "The new era of vulnerability disclosure - a brief chat with HD Moore". The Tech Herald. Archived from the original on 2010-08-26. Retrieved 2010-08-24.
  • ^ Betz, Chris (11 Jan 2015). "A Call for Better Coordinated Vulnerability Disclosure - MSRC - Site Home - TechNet Blogs". blogs.technet.com. Retrieved 12 January 2015.
  • ^ "Wiz launches open database to track cloud vulnerabilities". SearchSecurity. Retrieved 2022-07-20.
  • ^ Barth, Bradley (2022-06-08). "Centralized database will help standardize bug disclosure for the cloud". www.scmagazine.com. Retrieved 2022-07-20.
  • ^ Vijayan, Jai (2022-06-28). "New Vulnerability Database Catalogs Cloud Security Issues". Dark Reading. Retrieved 2022-07-20.
  • ^ "Category:Vulnerability". owasp.org.
  • ^ David Harley (10 March 2015). "Operating System Vulnerabilities, Exploits and Insecurity". Retrieved 15 January 2019.
  • ^ Most laptops vulnerable to attack via peripheral devices. http://www.sciencedaily.com/releases/2019/02/190225192119.htm Source: University of Cambridge]
  • ^ Exploiting Network Printers. Institute for IT-Security, Ruhr University Bochum
  • ^ [1] Archived October 21, 2007, at the Wayback Machine
  • ^ "Jesse Ruderman » Race conditions in security dialogs". squarefree.com.
  • ^ "lcamtuf's blog". lcamtuf.blogspot.com. 16 August 2010.
  • ^ "Warning Fatigue". freedom-to-tinker.com. 22 October 2003.
  • Wiki EnglishWiki JapaneseWiki Deutsch External links Media related to Vulnerability (computing) at Wikimedia Commons
  • Security advisories links from the Open Directory http://dmoz-odp.org/Computers/Security/Advisories_and_Patches/
  • 🔥 Top keywords: Akademia e Shkencave e RPS te ShqiperiseAlexandria Ocasio-CortezBilderberg GroupCristiano RonaldoDong XiaowanMinecraftOperation GladioPrimal cutRiot FestStrictly Come Dancing (series 7)

    Vulnerability (computing)

    Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.