Vulnerability (computer security)

Despite intentions to achieve complete correctness, virtually all hardware and software contains bugs where the system does not behave as expected.

If the bug could enable an attacker to compromise the confidentiality, integrity, or availability of system resources, it is called a vulnerability.

Insecure software development practices as well as design factors such as complexity can increase the burden of vulnerabilities.

Regardless of whether a patch is ever released to remediate the vulnerability, its lifecycle will eventually end when the system, or older versions of it, fall out of use.

Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contains bugs.

[16] DevOps, a development workflow that emphasizes automated testing and deployment to speed up the deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities.

Testing for security bugs in hardware is quite difficult due to limited time and the complexity of twenty-first century chips,[23] while the globalization of design and manufacturing has increased the opportunity for these bugs to be introduced by malicious actors.

Open-source operating systems such as Linux and Android have a freely accessible source code and allow anyone to contribute, which could enable the introduction of vulnerabilities.

Attacks used against vulnerabilities in web applications include: There is little evidence about the effectiveness and cost-effectiveness of different cyberattack prevention measures.

[50] Government or intelligence agencies buy vulnerabilities that have not been publicly disclosed and may use them in an attack, stockpile them, or notify the vendor.

[51] As of 2013, the Five Eyes (United States, United Kingdom, Canada, Australia, and New Zealand) captured the plurality of the market and other significant purchasers included Russia, India, Brazil, Malaysia, Singapore, North Korea, and Iran.

[52] Organized criminal groups also buy vulnerabilities, although they typically prefer exploit kits.

[55] Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released.

[50] This can take an extended period of time; in particular, industrial software may not be feasible to replace even if the manufacturer stops supporting it.

CVSS evaluates the possibility to exploit the vulnerability and compromise data confidentiality, availability, and integrity.

The amount of access needed for exploitation and whether it could take place without user interaction are also factored in to the overall score.

The former approach is praised for its transparency, but the drawback is that the risk of attack is likely to be increased after disclosure with no patch available.

[citation needed] CVE and other databases typically do not track vulnerabilities in software as a service products.

[71] Some companies are covered by laws, such as PCI, HIPAA, and Sarbanes-Oxley, that place legal requirements on vulnerability management.