Stories
Slash Boxes
Comments

SoylentNews is people

Software Vulnerabilities are Becoming More Numerous, Less Understood

posted by Fnord666 on Thursday February 28 2019, @02:55PM   Printer-friendly
from the hello-entropy dept.

jas writes:

The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.

Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including "there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization," and "organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage." This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.

In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that "there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities."

https://www.techrepublic.com/article/software-vulnerabilities-are-becoming-more-numerous-less-understood/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Software Vulnerabilities are Becoming More Numerous, Less Understood | Log In/Create an Account | Top | 63 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Insightful) by Anonymous Coward on Thursday February 28 2019, @08:02PM (1 child)

    by Anonymous Coward on Thursday February 28 2019, @08:02PM (#808327)

    Is it bloat? Or is it complex features?

    It is bloat.

    Which is more bloated? Notepad or Word?

    Which is tastier, an apple or an orange?

    Your comparison is poor. The examples serve significantly different needs. Try something like "which is more bloated, Word 95 or Word 2019?" or "which is more bloated, Windows 7 or Windows 10?" or "which is more bloated, OS X 10.6 or OS X 10.14?"

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Total Score:   1  

  • (Score: 2) by DannyB on Thursday February 28 2019, @09:33PM

    by DannyB (5839) Subscriber Badge on Thursday February 28 2019, @09:33PM (#808378) Journal

    My comparison is meant to address that sometimes when people complain about bloat they might be wanting the "Notepad" solution and think that nobody else would be served by the significantly different "Word" solution. Because what they need is what everyone else needs.

    Or to put it in concrete terms, if Java didn't serve a real need, it wouldn't be the number one language for years in a row on multiple programming language indexes. Somebody out there must be finding it useful and economical.

    --
    To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.