NIST releases vulnerability database

The National Institute of Standards and Technology has launched a comprehensive cybersecurity vulnerability database that is updated daily with the latest information on vulnerabilities in popular products.

The National Vulnerability Database (NVD) integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. The Web site, nvd.nist.gov, contains about 12,000 vulnerability entries with around 10 being added per day, said Peter Mell, a senior computer scientist with NIST and creator of NVD.

The database will be useful to the public for detailed information about vulnerabilities within specific products and trends within industry segments as well as developers who need to import vulnerability information into their security products, Mell said.

The NVD is funded by the Department of Homeland Security’s National Cyber Security Division and is designed to complement the department’s suite of vulnerability management offerings, Mell said. DHS’ Technical Cyber Security Alerts and Vulnerability Notes contain detailed information, but warn the public only about the most critical vulnerabilities, he said.

The NVD, on the other hand, “is an encyclopedia of everything,” Mell said.

The database is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard, which was developed by representatives from academia, government and industry.

Maintained by Mitre Corp., CVE is a dictionary, not a database. It is designed to make it easier to share data across separate vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability between those products. NVD will aid that interoperability effort by enhancing the CVE name standard with detailed vulnerability information, Mell said.

The entire NVD database of vulnerability information is freely available to the public as an Extensible Markup Language (XML) feed. This will help developers include the information within their IT security products. The NVD can also generate statistics that reveal vulnerability discovery trends within industry segments and products, Mell said.

A statistics generation engine lets users chart and graph custom statistics. For instance, they can see that vulnerabilities such as buffer overflows, which have been around for a long time, are still being discovered in large numbers even though tools are available to eliminate this problem, Mell said.

Featured

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected