Security database: The hits just keep on coming

Just more than a year ago, the National Institute of Standards and Technology built an online database to help organizations track security flaws in popular software products.

The National Vulnerability Database Web site is on pace to receive 25 million hits per year, according to NIST, so users obviously like it. And the need for it has never been greater. The database, which began with a list of 12,000 vulnerabilities, recently hit 20,000, with no sign of slowing.

“I think 20,000 is just the tip of the iceberg,” said Peter Mell, a senior computer scientist at NIST who created the database. He said software vulnerabilities are increasing exponentially, and vendors are unaware of many security flaws lurking within their applications.

Alan Paller, director of research at the SANS Institute, said the majority of the 5,000 most recent posted vulnerabilities involved Web-related applications. In early September, NIST and Red Hat established a commenting forum for companies that wanted to report vulnerabilities that could affect multiple software applications.

The NIST database categorizes software problems by product and vendor name and version number, and it provides information on known fixes and links to relevant industry sources. The database also notes the severity of each flaw, using the industry standard Common Vulnerability Scoring System so users can decide which problems to address first, according to NIST.