National Vulnerability Database updated, upgraded
Latest version of vulnerability database incorporates IT product-naming convention
- By William Jackson
- Sep 17, 2008
What's in a name? Quite a lot, actually. A wealth of information is available on information technology threats and vulnerabilities and the best practices for countering them, but matching that information to your needs can be difficult.
According to a paper Mitre Corp. published in 2007, 'Descriptions of vulnerabilities and configuration best practices have greater utility when all participants share common names for the entities described.' The not-for-profit organization develops and maintains a number of standardized IT naming conventions.
The National Institute of Standards and Technology has incorporated Mitre's Common Platform Enumeration in the latest version
of the National Vulnerability Database, a comprehensive repository of information on potential vulnerabilities in computer systems. NIST is applying the CPE product-naming scheme in the NVD dictionary that identifies names of products such as operating systems and applications.
Experienced systems administrators and security analysts can get by with informal naming systems for platforms and products when they are dealing with vulnerabilities and configuration issues. But automated security practices require a more consistent and structured naming scheme that allows tools and people to identify the IT platforms to which a vulnerability or security guidance applies. With a clear naming scheme, administrators can generate IT platform names consistently and predictably.
NIST made more than 80,000 updates to NVD in preparation for the latest upgrade, which enables greater automation of security processes. Data in the earlier NVD product dictionary was suitable only for human use because its structure was loosely defined. However, the new dictionary enables the data to be used in machine-to-machine communications. For example, a database of network assets listing hardware, software, patches and service packs can be correlated with a database of security vulnerabilities, thereby identifying vulnerabilities that might be present on instances of software. That is made possible by linking NVD's large repository of vulnerability information to standard product names.
NVD is a collection of 36 programs with a database back end and a Web browser front end. Researchers in NIST's Computer Security Division, with support from the Homeland Security Department's National Cyber Security Division, developed the database. NVD data and CPE are used in the Security Content Automation Protocol, a specification the Office of Management and Budget, General Services Administration and Defense Department use.
The release of NVD 2.2 is the latest step in the system's evolution from an archival security environment to a system that enables full security automation. NVD replaced NIST's ICAT vulnerability Web site (originally the Internet Catalog of Attacks Toolkit) in 2005. ICAT was updated only every few weeks, and as the pace of new vulnerabilities picked up, it became inadequate as a source of information. DHS had a mandate to provide public information about IT vulnerabilities, and in July 2004, the National Cyber Security Division promised funding to upgrade ICAT. When that funding was delayed, NIST computer scientists began creating NVD on their own. DHS funding for the project came through in time to pay for analysts to keep NVD up-to-date.
NVD also incorporates Mitre's Common Vulnerabilities and Exposures search engine, a standardized naming scheme for IT vulnerabilities launched in 1999, and other government resources such as alerts and advisories from the U.S. Computer Emergency Readiness Team.
William Jackson is a Maryland-based freelance writer.