Vulnerability is defined as the weakness that allows the attacker to enter in and harm, it may be a flaw in design or misconfiguration. In order to exploit the vulnerability attacker should have applicable tool or technique that connect to the system weakness.
The vulnerability database is the result of an effort to collect information about all known security flaws in software. From the outset, it is obvious this is a massive challenge because vulnerability information is generated by thousands of sources including software vendors, vulnerability researchers, and users of the software. Public efforts exist to provide identifiers for security weaknesses in software applications through some databases which provide some sort of relief.
Here is the list of top 8 databases designed for this purpose:
1. NIST National Vulnerability Database (NVD)
NVD is the US government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. NVD is based on and synchronized with the CVE List.
As of the creation of this slideshow, the NVD had reported:
- 79,510 CVE vulnerabilities
- 376 Checklists
- 249 US-CERT alerts
- 4,458 US-CERT vuln notes
- 10,286 OVAL queries
- 115,220 CPE Names
“NVD provides organizations the ability to validate and understand the checklist and prescriptive guidance, thanks to the Center of Internet Security,” says Fred Wilmot, chief technology officer at PacketSled. “NVD is delivered in a structured language for all to consume in SCAP or CVSS. The Main pro for NVD (and CVE, for that matter) is the commonality and structure of the format. It’s not just about reporting and keeping current in vulnerability data like 0-days, but that they can also feed a risk framework and help validate applicability or relevance of attacks.”
2. Mitre Common Vulnerabilities And Exposures (CVE)
CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
Morey Haber, VP of technology at BeyondTrust, offers these examples:
- Scanning tools most commonly use CVEs for classification
- SIEM technologies understand their applicability in reporting
- Risk frameworks use them as a calculation vehicle for applied risk to the business
“Now that you have a common calculator for interoperability among vendors, the fact that CVE is maintained completely transparently to the community is a HUGE pro,” says Fred Wilmot, chief technology officer at PacketSled. “There is no holdout of exploits for vulnerabilities based on financial gain or intent. It’s altruism at its best. The weakness in the CVE comes in the weaponization of that information and the lack of disclosure for profit and activism, as two examples.”
3. CERT Vulnerability Notes Database (VNDB)
The Vulnerability Notes Database provides information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors. Most Vulnerability notes are the result of private coordination and disclosure efforts. For more comprehensive coverage of public vulnerability reports, consider the National Vulnerability Database (NVD).
“This is nice to have, but it still uses CVEs as reference,” says Fred Wilmot, chief technology officer at PacketSled. “NVD is not nearly as practical to consume directly as CVE — the disclosure form is fine, but why would I go there and not directly to MITRE for CVE establishment first? However, it’s probably a good place to spend time during an investigation.”
4. VulnDB From Risk Based Security
Risk Based Security offers the VulnDB, a third-party reference database with API access and complete details providing for comprehensive vulnerability intelligence through a continuously updated data feed. Based on the largest and most comprehensive vulnerability database, VulnDB allows organizations to poll for the latest in software security vulnerability information. The VulnDB data feed subscription offering provides organizations with timely vulnerability information.
“VulnDB does not contain audit information, but it is a good source for solutions that need to reference vulnerability information in their products such as firewalls or IDS/IPS and do not want to rely on open source or to build/maintain a library,” said Morey Haber, VP of technology at BeyondTrust.
5. DISA IAVA Database And STIGS
CVE IDs are mapped to the US Defense Information System Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVAs), downloads of which are posted on DISA’s public Security Technical Implementation Guides (STIG) website.
“IAVA, the DISA-based vulnerability mapping database, is based on existing SCAP sources, and once in a while it contains details for government systems that are not a part of the commercial world,” says Morey Haber, VP of technology at BeyondTrust. “For any vendor doing .gov or .mil work, this reference is a must.”
“STIGS is another government reference library focused on hardening and configurations. Many vulnerabilities are related to simple settings or configurations; having this mapping is essential for FedRAMP/NIST compliance,” Haber adds.
SecurityTracker.com is a third-party vulnerability database library that is updated daily. “The website tends to focus on non-OS vulnerabilities, but they are certainly included in the feed,” says Morey Haber, VP of technology at BeyondTrust. “Infrastructure and IoT tend to make the front page the most, and this site is a good third-party reference for new flaws.”
7. Open Vulnerability And Assessment Language (OVAL) Interpreter And Repository
OVAL is an information security community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community. A community-developed language for determining vulnerability and configuration issues on computer systems, OVAL is co-sponsored by the office of Cybersecurity and Communications at the US Department of Homeland Security.
“OVAL’s interpreter, together with the repository, provides the recipient with information about whether a particular vulnerability exists on a system,” says Harry Wan, chief technology officer and co-founder of DatumSec. “This information proves extremely useful when determining on-premises third-party risk scores.”
8. Information Sharing And Analysis Centers (ISACs)
Sector-specific Information Sharing and Analysis Centers (ISACs) are non-profit, member-driven organizations formed by critical infrastructure owners and operators to share information between government and industry. The primary goal of ISACs is to quickly disseminate physical and cyberthreat alerts and other critical information to the member organizations.
If your business operates within a critical infrastructure sector, consider becoming a member of an ISAC. Below you’ll find a small portion of the ISACs associated with the national council of ISACs. There are many more on the National Council of ISACs website.
- MS-ISAC (multi-state): The MS-ISAC is the focal point for cyberthreat prevention, protection, response, and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments.
- FS-ISAC (financial services): FS-ISAC is the global financial industry’s go-to resource for cyber and physical threat intelligence analysis and sharing.
- A-ISAC (aviation): The aviation ISAC provides an aviation-focused information sharing and analysis function to help protect global aviation businesses, operations, and services.
- AUTO-ISAC (automotive): The automotive ISAC is a non-profit information-sharing organization that is owned and operated by automotive manufacturers and suppliers — 98% of vehicles on the road in the United States are represented by member companies in the AUTO-ISAC.
- ONG-ISAC (oil and gas): The oil and natural gas ISAC was created to provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses present throughout the oil and gas industry.
- NH-ISAC (national healthcare): The official healthcare information sharing and analysis center offers non-profit and for-profit healthcare stakeholders a community and forum for sharing cyber and physical threat indicators, best practices, and mitigation strategies.
- IT-ISAC (information technology): Members participate in national and homeland security efforts to strengthen the IT infrastructure through cyber information sharing and analysis.
There also are a growing number of Information Sharing and Analysis Organizations, or ISAOs, specific to various industries, groups, and regions. ISAOs stem from a 2015 Executive Order calling for the formation of more intel-sharing groups among specific communities.
By Vivek Badoni
Member, Reporters’ Committee