Tuesday, August 16, 2005

National Vulnerability Database

I learned today the National Vulnerability Database (NVD) has replaced the old NIST ICAT system. The NVD describes itself this way:

"NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard."

There's a link to a workload index, whose URL includes the term "threatindex" (groan). On that page we read:

"Workload Index Information

This index calculates the number of important vulnerabilities that information technology security operations staff are required to address each day. The higher the number, the greater the workload and the greater the general threat represented by the vulnerabilities."

I think the last sentence should instead read:

"The higher the number, the greater the workload and the greater the general risk represented by the vulnerabilities."


I am not sure what the Open Source Vulnerability Database (OSVDB) thinks of the NVD. There is a blog posting about NVD, but no commentary by OSVDB members. I think the OSVDB needs to remain as a place that is independent of US government control. If a truly severe vulnerability is found, who is more likely to publish it first -- nvd.nist.gov or www.osvdb.org?

On a note related to vulnerabilities, here is a list of vulnerability or attack description projects.

These are papers on related subjects:

3 comments:

Anonymous said...

What would scare me most about the .gov providing this service is how judicious they may be with posting and announcing vulnerabilities. Will they be subject to US companies with clout enough to tell them to take a vulnerability off? Will the DHS use this as part of their way to control cyberterror by not publihing vulnerabilities that are not patched yet? Otherwise they may get general media lashback about providing the tools to 'hackers' they are trying to protect from...

-- LonerVamp

Anonymous said...

Hi Richard,

I wonder if you could post some more on why you groan about 'threat index' as a security term.

I too have disliked this term 'threat', sincce I feel it's impossible to measure intent. I prefer to think in terms of 'vulnerabilities' and 'exploits' which are much more measurable IMHO - and I think the use of the word 'threat' is damaging security thinking every time it's used.

Would love to hear your expanded thoughts on this.

Richard Bejtlich said...

Hello,

Many times I see the word "threat" used improperly. Search the blog for "threat" and you'll find many old posts.

A vulnerability is not a threat. A vulnerability is a component of risk, hence my replacement of the word "threat" with "risk" in my suggested replacement sentence.