Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday February 28 2019, @02:55PM   Printer-friendly
from the hello-entropy dept.

The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.

Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including "there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization," and "organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage." This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.

In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that "there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities."

https://www.techrepublic.com/article/software-vulnerabilities-are-becoming-more-numerous-less-understood/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Freeman on Thursday February 28 2019, @03:13PM (3 children)

    by Freeman (732) on Thursday February 28 2019, @03:13PM (#808140) Journal

    With the increased usage of software, there's bound to be even more vulnerabilities, so that's not terribly surprising. Less understood, implies that the general public had a clue in the first place. I see no reason why a vulnerability would be harder to understand for those that need to fix it or protect against it. With all of the recent breaches in security, it should also be a lot easier for their boss, and bosses boss to understand the need for security. Though, perhaps I'm missing something.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 4, Insightful) by JoeMerchant on Thursday February 28 2019, @03:43PM

    by JoeMerchant (3937) on Thursday February 28 2019, @03:43PM (#808158)

    I see no reason why a vulnerability would be harder to understand for those that need to fix it or protect against it.

    As compared to the days when, say, the STONED floppy boot sector virus was the major threat, I'd say that modern systems are more complex by a couple of orders of magnitude and that does make them harder to understand, fix and protect.

    --
    🌻🌻 [google.com]
  • (Score: 0) by Anonymous Coward on Thursday February 28 2019, @03:55PM

    by Anonymous Coward on Thursday February 28 2019, @03:55PM (#808161)

    Many programming languages/runtimes have package managers that have grown up around them. These package managers can pull in mountains of code to any given project. That certainly makes security more problematic and opaque even to developers.

  • (Score: 5, Insightful) by RamiK on Thursday February 28 2019, @04:44PM

    by RamiK (1813) on Thursday February 28 2019, @04:44PM (#808181)

    Some new exploits are targeting hardware details that aren't openly documented or even available to the driver developers. For Intel ME you at least had a few outside developers working for motherboard OEMs and NICs that read Intel's docs and even saw some of their sources. And there were open implementations for the specs around so people had a pretty good idea what's going on in general. Then you had those ARM cores found on x86 server-board providing the management features that admins were messing with on a daily basis... Those were running linux and serving html so some poking around got you quite far. But nowadays you have the micro-controllers on everything from your hard disk to your motherboard's sata and usb switches being targeted since they've gradually came to run on increasingly more generic compute cores as nodes kept shrinking. How many people even know the instruction sets for those let alone the software? And how many of those work for Antivirus companies?

    --
    compiling...