Bright Security’s Enterprise Grade Dev-Centric DAST Integrates with

Microsoft Defender for Cloud →
Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
Vulnerability CVE: What Are CVEs and How They Bolster Security

Vulnerability CVE: What Are CVEs and How They Bolster Security

What is the Common Vulnerabilities and Exposures Glossary (CVE)?

The Common Vulnerabilities and Exposures (CVE) is a catalog that aims to standardize the identification of known cyber threats. It provides a reference list to help security teams bolster their threat intelligence and vulnerability management efforts. 

What is a security vulnerability?

A security vulnerability is a weakness in an application that threat actors can exploit to obtain unauthorized access and launch various cyber attacks. Threat actors can leverage security vulnerabilities to access or modify sensitive data, run malicious code on a target system, or install malware. 

What are exposures?

Exposures are security threats that can potentially provide threat actors with access to internal systems and networks. Threat actors rely on exposures in software systems to orchestrate data leaks that can compromise sensitive information.

How the CVE helps

The potential threats listed in the database have CVE identifiers as well as standardized names. The CVE also provides insights to help design a comprehensive security policy and periodic security reports. Cross-functional teams use the CVE as a standard format to share information. It serves as a starting point in implementing security strategies.

The MITRE corporation oversees the CVE program, and the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the U.S. Department of Homeland Security, funds it.

In this article:

  1. Difference Between a Vulnerability and an Exposure
  2. Managing Vulnerabilities with CVE
  3. What Qualifies for a CVE?
  4. What’s the Difference Between CVE and CVSS?
  5. The Benefits and Risks of the CVE Database
  6. Risks Involved in Publishing a New CVE

Difference Between a Vulnerability and an Exposure 

Threat actors can exploit a vulnerability to gain unauthorized access to systems or perform unauthorized actions. Vulnerabilities can allow threat actors to gain direct access to a network or system, install malware, run code, and access internal systems to destroy, modify, or steal sensitive data. If a vulnerability goes undetected, it can allow a threat actor to pose as a system administrator with full access privileges or super-user. 

Exposures are mistakes that provide threat actors access to a network or system. Exposures allow threat actors to access and exfiltrate personally identifiable information (PII). 

Related content: Read our guide to vulnerability examples.

Managing Vulnerabilities with CVE 

CVE includes brief entries that do not include technical data or information about impacts, risks, and fixes. You can find these details in other databases, such as the US National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and commercial lists maintained.

The main goal of CVEs is to standardize each exposure and vulnerability. It categorizes software vulnerabilities, acting as a dictionary to enhance security. Organizations leverage CVEs to identify and detect emerging vulnerabilities. 

Using the CVE IDs for vulnerabilities, organizations get CVE-compatible information and access information about specific cyber threats. This accurate information helps plan for remediation after detecting vulnerabilities.

What Qualifies for a CVE? 

The CVE list includes only vulnerabilities and exposures that meet the following criteria:

  • Verified by the affected vendor or via other documentation as impacting security negatively.
  • Fixable independently by the end-user.
  • Relevant to a single affected product or codebase. A vulnerability affecting more than one product gets separate CVEs.

CVE Numbering Authorities (CNAs) regularly assign CVE IDs to vulnerabilities and create and publish information about vulnerabilities in their associated CVE records. There are several CNAs, each with specific responsibilities for identifying and publishing vulnerabilities.

In addition to their monitoring activities, CNAs use various channels to learn about potential CVEs, such as end-users, bug bounty programs, and cybersecurity companies. Not all CVEs are published immediately to the public CVE list. Affected vendors can reserve a CVE record until the fix is ready.

What’s the Difference Between CVE and CVSS? 

The Common Vulnerability Scoring System (CVSS) standardizes scoring across vulnerability management programs. Since this system indicates the severity of a security vulnerability, many vulnerability scanning tools rely on it for prioritization.

CVSS represents a vulnerability’s overall score, while the CVE list includes all publicly disclosed vulnerabilities and their CVE ID, description, comments, and dates. CVSS scores are not reported in the CVE list. You can find the assigned CVSS scores in the NVD.

Related content: Read our guide to vulnerability testing.

The Benefits and Risks of the CVE Database 

The CVE list provides many benefits, including:

  • Centralized vulnerabilities management—the CVE offers a centralized place to manage and review vulnerabilities, regardless of the point of origin. Organizations using different software products can employ the CVE list to gain insights into vulnerabilities in all products. 
  • Consistent evaluation—the MITRE Corporation serves as the functional editor of the CVE list, ensuring vulnerabilities are evaluated consistently. There is no need to worry that a vulnerability is skipped over because of poor management or that duplicates and wrong number assignments muddle the list.
  • Common formatting and descriptions—in most cases, the CVE list offers the same data fields for all entries. Since the formatting is the same, it makes it easier to review and compare vulnerabilities.
  • Encouraged public sharing of knowledge—the CVE list encourages public sharing of information. Once a company discovers a vulnerability using published software, they are incentivized to report it. Many companies have systems to identify, catalog, and communicate information about vulnerabilities. However, the CVE streamlines the process and standardizes the information.
  • Research and better security—the CVE provides cybersecurity experts and organizations with information about vulnerabilities and exposures. The CVE list can help research software products, proactively identify possible vulnerabilities, and find solutions and workarounds before it is too late.

Risks Involved in Publishing a New CVE

It may seem risky to publicize information about security vulnerabilities and flaws. Since the list is publicly available, threat actors can also access the information. They could use the list to exploit disclosed vulnerabilities and attack individuals and companies. However, the security community has come to accept that transparency is more important in this case. 

The consensus is that the potential benefits of disclosing vulnerabilities and exposures outweigh the risks. Here is why:

  • It gives organizations an advantage—it takes far longer for one organization to patch or protect against a vulnerability than it for a threat actor to exploit it. Circulating information about vulnerabilities as early and efficiently as possible becomes vital to ensuring organizations can defend timely.
  • It does not provide threat actors much of an advantage—the CVE lists only publicly known security vulnerabilities. It means skilled and resourceful threat actors already know about these vulnerabilities and do not need the CVE list to gain any significant advantage.

Security Testing with Bright Security

Bright Security helps address the shortage of security personnel, enabling AppSec teams to provide governance for security testing, and enabling every developer to run their own security tests. 

Bright empowers developers to incorporate an automated Dynamic Application Security Testing (DAST), earlier than ever before, into their unit testing process so they can resolve security concerns as part of their agile development process. Bright’s DAST platform integrates into the SDLC fully and seamlessly: 

  • Test results are provided to the CISO and the security team, providing complete visibility into vulnerabilities found and remediated
  • Tickets are automatically opened for developers in their bug tracking system so they can be fixed quickly
  • Every security finding is automatically validated, removing false positives and the need for manual validation

Bright Security can scan any target, whether Web Apps, APIs (REST/SOAP/GraphQL) to help enhance DevSecOps and achieve regulatory compliance with our real-time, false positive free actionable reports of vulnerabilities. In addition, our ML-based DAST solution provides an automated solution to identify Business Logic Vulnerabilities.

Learn more about Bright Security testing solutions

Resources

Domain Hijacking: How It Works and 6 Ways to Prevent It

What Is Domain Hijacking?  Domain hijacking refers to the unauthorized acquisition of a domain name by a third party, effectively taking control away from the rightful owner. This form of cyber attack can lead to significant disruptions, including loss of website functionality, email services, and potentially damaging the brand’s reputation.  Domain hijackers often exploit security

Mastering Vulnerability Management: A Comprehensive Guide

Modern day organizations face a constant barrage of cyber threats, making it imperative to implement robust vulnerability management processes. Vulnerability management is a systematic approach to identifying, evaluating, treating, and reporting on security vulnerabilities in systems and their associated software. In this blog post, we’ll delve into the four crucial steps of vulnerability management process

Vulnerability Scanners: 4 Key Features, Types, and How to Choose

A vulnerability scanner is a specialized software tool designed to assess the security of computers, networks, or applications by automatically detecting and analyzing weaknesses. These scanners proactively search for security vulnerabilities, such as unpatched software, misconfigurations, and other security gaps that could be exploited by attackers. Some scanners can simulate the actions of an attacker to help identify exploitable vulnerabilities.

Get our newsletter