• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   The importance of vulnerability research: Recent findings

The importance of vulnerability research: Recent findings

  • Posted on:March 18, 2015
  • Posted in:Cloud Computing, Current News, Current News, Industry News, Vulnerabilities & Exploits
  • Posted by:
    Trend Micro
0

In the current threat environment, vulnerability research is incredibly important. These findings can serve to better protect users and make software developers and vendors aware of flaws that could put sensitive information at risk of exposure. And with cyber attacks becoming more prevalent, one would think the industry would welcome any opportunity to mitigate the chances of hackers breaking into commonly-used programs.

Recently, however, there has been considerable controversy surrounding vulnerability research, particularly when it comes to the disclosure of teams' findings. A number of questions come up in these regards, including:

  • What makes vulnerability research so critical?
  • How should software vendors treat researchers' findings?
  • When is it appropriate for vulnerability research teams to publish their findings for the public?

While the answers to one or more of these queries might seem obvious, there are some in the technology industry that are struggling with them, especially in the wake of findings being published pertaining to vulnerabilities in Microsoft products. In order to determine the best solutions, let's examine vulnerability research, its importance and the current controversy in the sector.

What is vulnerability research?
To ensure full understanding, let's begin with the basics. Vulnerability research encompasses the processes engineering teams use to pinpoint flaws in software programs that could lead to security issues, noted NetraGard. These efforts could include reverse engineering, static and code analysis along with an array of other initiatives to recognize program issues. However, information security expert Bruce Schneier noted that it is important that the team includes engineers with a specific expertise in security due to their unique point of view.

"Security engineers see the world differently than other engineers," Schneier wrote. "Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail, and how to prevent – or protect against – those failures."

Why is vulnerability research important in the technology and security spaces?
There are considerable benefits to be gleaned from vulnerability research. In addition to helping to mitigate the risks of hackers exploiting discovered program weaknesses, this research also assists security vendors to better protect their users. Trend Micro noted that with the information gleaned from vulnerability research, security vendors are also provided the opportunity to establish patches for recognized weaknesses and increasing their responsiveness to zero-day and N-day exploits.

"It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly," Trend Micro Threat Analyst Weimin Wu wrote.

In addition to assisting vendors create safer products and enhance protections of sensitive user information, NetraGard pointed out that in the current threat environment, if vulnerability researchers don't pinpoint and address software flaws, they will surely be exploited by cybercriminals.

"If you do not check the security of your technology, then you can rest assured that malicious hackers will," NetraGard stated. "Vulnerability research helps to identify and eliminate security flaws that might otherwise be exploited by malicious hackers. Successful exploitation can lead to system compromise, data loss, data corruption, theft of intellectual property, theft of sensitive data, loss of service and sometimes loss of life."

With these consequences serving as motivation, vulnerability researchers perform incredibly important work that impacts software developers, vendors and users around the world.

What's the problem with vulnerability research?
With the advantages of vulnerability research clear, one might wonder why controversy has erupted around these efforts. Wu noted that the recent publishing of vulnerabilities in Microsoft products, including Internet Explorer and Windows 8.1, caused a stir in the industry. The publications came from HP's Zero Day Initiative and Google's Project Zero, and were made public after the issues were not addressed within 90 days of them being reported.

"This has resulted in an argument between security researchers and software vendors on how vulnerabilities should be disclosed," Wu wrote. "A case where a vulnerability was disclosed without a patch has mixed results for end users: It pushes vendors to respond more quickly when vulnerabilities are disclosed to them in the future; however, it also increases the time window when attacks can be carried out using these unpatched vulnerabilities."

While the jury is still out on how discovered vulnerabilities should be treated by both researchers and software providers, it does not diminish the importance of the research itself.

The changing landscape of vulnerability research
In recent years, vulnerability has moved from a white hat hobby to a more pressing need within the industry. As the instances of cyberattacks continue to increase, users are increasingly aware that anyone can become a victim, Trend Micro noted. Because many attacks come due to zero-day exploits, the pressure is on to discover weaknesses and patch them as quickly as possible.

"This has resulted in both established security vendors as well as startups expanding their ability to discover vulnerabilities in applications and websites," Wu wrote. "In effect, the ecosystem surrounding vulnerability research has been changed by the need to deal with targeted attacks."

As the threat landscape continues to evolve, vulnerability research will become an increasingly key part of the security and technology sectors.

Related posts:

  1. This Week in Security News: New Zero-Day Vulnerability Findings and Mobile Phishing Scams
  2. Security research exposes iOS vulnerability
  3. How vulnerability research benefits both vendors and customers
  4. The Real-World Impact of Bug Bounties and Vulnerability Research

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.