Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday February 28 2019, @02:55PM   Printer-friendly
from the hello-entropy dept.

The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.

Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including "there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization," and "organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage." This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.

In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that "there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities."

https://www.techrepublic.com/article/software-vulnerabilities-are-becoming-more-numerous-less-understood/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by DannyB on Thursday February 28 2019, @07:09PM

    by DannyB (5839) Subscriber Badge on Thursday February 28 2019, @07:09PM (#808277) Journal

    I never used an S/360 or 370. But I did get to briefly use an IBM 1130 with punch cards and an 029, and sometimes 026 keypunch. Just for one semester. Then interactive CRTs on a new (but obscure) minicomputer. I first learned to write significant assembler code on that beast, as well as learn several high level languages, including at the end, Pascal.

    I also wrote 8086 code in the early 1980s to do high speed scrolling, writing, filling, etc of character into rectangular "windows" of the IBM PC character display. Going through the BIOS int 13 let alone DOS was too slow.

    I say that because people think that my affinity for garbage collection and high level languages means I don't know how to do anything low level or manage memory.

    I also (ahem) did binary machine code patches to some software to bypass a nag screen that would come up. Not anything to do with licensing. But this one program (*cough* Microsoft Works *cough*) on Macintosh would start up going to an open / new dialog, when it could go to a different mode at startup that was accessed by just clicking Cancel. So I traced the execution, and came up with a tiny patch. Everyone in the office loved it. It had nothing to do with piracy.

    Let's not, and say we did.

    So really, moving to an OS, and a language like C is a true advancement, at that time.

    Yet people then resist further advancements. But back in the 1970's I remember people arguing that we should never use high level languages like FORTRAN or heaven forbid Pascal.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2