National Vulnerability Database
I learned today the National Vulnerability Database (NVD) has replaced the old NIST ICAT system. The NVD describes itself this way:
"NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard."
There's a link to a workload index, whose URL includes the term "threatindex" (groan). On that page we read:
"Workload Index Information
This index calculates the number of important vulnerabilities that information technology security operations staff are required to address each day. The higher the number, the greater the workload and the greater the general threat represented by the vulnerabilities."
I think the last sentence should instead read:
"The higher the number, the greater the workload and the greater the general risk represented by the vulnerabilities."
I am not sure what the Open Source Vulnerability Database (OSVDB) thinks of the NVD. There is a blog posting about NVD, but no commentary by OSVDB members. I think the OSVDB needs to remain as a place that is independent of US government control. If a truly severe vulnerability is found, who is more likely to publish it first -- nvd.nist.gov or www.osvdb.org?
On a note related to vulnerabilities, here is a list of vulnerability or attack description projects.
These are papers on related subjects:
"NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard."
There's a link to a workload index, whose URL includes the term "threatindex" (groan). On that page we read:
"Workload Index Information
This index calculates the number of important vulnerabilities that information technology security operations staff are required to address each day. The higher the number, the greater the workload and the greater the general threat represented by the vulnerabilities."
I think the last sentence should instead read:
"The higher the number, the greater the workload and the greater the general risk represented by the vulnerabilities."
I am not sure what the Open Source Vulnerability Database (OSVDB) thinks of the NVD. There is a blog posting about NVD, but no commentary by OSVDB members. I think the OSVDB needs to remain as a place that is independent of US government control. If a truly severe vulnerability is found, who is more likely to publish it first -- nvd.nist.gov or www.osvdb.org?
On a note related to vulnerabilities, here is a list of vulnerability or attack description projects.
- Nessus Attack Scripting Language and the Syngress Nessus Network Auditing book
- Application Vulnerability Description Language (AVDL); also here
- Enterprise Vulnerability Description Language (EVDL)
- Intrusion Detection [Message] Exchange Format (idwg) and drafts
- Common Vulnerability Scoring System (CVSS), discussed here, here, here, and here; also there is an Interactive Common Vulnerability Scoring System
- Open Vulnerability and Assessment Language
- IETF Extended Incident Handling Working Group (INCH), which was preceded by the Incident Object Description and Exchange Format Working Group
- Fingerprint Sharing Alliance
- High Level Firewall Language
These are papers on related subjects:
Comments
-- LonerVamp
I wonder if you could post some more on why you groan about 'threat index' as a security term.
I too have disliked this term 'threat', sincce I feel it's impossible to measure intent. I prefer to think in terms of 'vulnerabilities' and 'exploits' which are much more measurable IMHO - and I think the use of the word 'threat' is damaging security thinking every time it's used.
Would love to hear your expanded thoughts on this.
Many times I see the word "threat" used improperly. Search the blog for "threat" and you'll find many old posts.
A vulnerability is not a threat. A vulnerability is a component of risk, hence my replacement of the word "threat" with "risk" in my suggested replacement sentence.