Friday, June 14, 2024

HomeCyberSecurityWhat’s going on with the National Vulnerability Database?

What’s going on with the National Vulnerability Database?

The National Vulnerability Database is so overwhelmed with a steadily increasing number of software and hardware flaws that the National Institute of Standards and Technology, which maintains the common vulnerabilities and exposures repository, called for a slight pause to regroup and reprioritize its efforts.

NIST scaled back the NVD program in mid-February, and is currently prioritizing analysis of the most significant or actively exploited vulnerabilities. The slowdown was precipitated by “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support,” NIST said in the announcement.

The federal agency is seeking more support from within the government and reassigning staff as it assembles a public-private consortium to address long-term challenges and determine how to improve the NVD program. In the interim, the temporary delays in CVE analysis will result in less detailed analysis of vulnerabilities deemed non-urgent.

The work and output of NIST’s NVD program is remarkable. The agency reported an all-time high of 33,137 disclosures last year, a 318% increase from 2005 when the NVD first came online, according to Flashpoint research.

Government agencies, private companies, researchers and threat hunters use NVD’s standards-based vulnerability management data to automate security measurement and compliance, and assess, mitigate and spot potential risks lurking in these CVEs.

“So many folks have, honestly, probably been taking it for granted for years,” said Caitlin Condon, director of vulnerability research at Rapid7.

NVD has long been an authoritative and widely trusted source for vulnerability information, despite occasional disputes about NIST’s timeliness or transparency, CVSS scores, common platform enumeration (CPE), or root cause identification.

“Security professionals across a variety of disciplines like research and vulnerability management have come to rely on NVD,” said Emily Austin, principal security researcher at Censys. “It’s built into vulnerability management tools and processes across many organizations, and its importance really can’t be overstated.”

NVD slowdown creates difficulties downstream

Impacts from the NVD slowdown are expected to materialize over time, and cybersecurity experts anticipate a snowball effect as some vulnerabilities receive less attention from NIST.

Some vendors disclose very little information about vulnerabilities in their products. When NIST isn’t filling that analysis gap, the responsibility ultimately falls on threat hunters, researchers and security companies.

Other vulnerability catalogs exist, such as the Mitre Corp.’s CVE.org and the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, but the former doesn’t have the federal government’s official backing as a trusted source of truth and the latter is limited in scope.

“There’s value in being able to use a common language to discuss CVEs. That said, I also see concerns with having a single point of failure, as we’re experiencing now,” Austin said.

The temporary delays have already made it much more difficult for organizations to understand what software and products in their environments are vulnerable to a given CVE, according to Austin.

“Those working in vulnerability management and the tools they rely on are at a major disadvantage as a result of the NVD issues,” Austin said.

Challenges confronting the NVD

The sheer glut of vulnerabilities that NIST must analyze combined with the agency’s resource constraints has created a backlog in the NVD.

“Even before the start of the NVD slowdown, NVD has been significantly behind in analysis of the growing number of disclosures for years, often ranging from two to six weeks to analyze a given vulnerability. Over time, this gap in coverage has culminated to over 100,000 vulnerabilities missed by CVE and NVD,” Flashpoint research found.


Source link

Bookmark (0)
ClosePlease login
RELATED ARTICLES
- Advertisment -spot_img

Most Popular

Sponsored Business

- Advertisment -spot_img