, SecurityFocus 2005-08-12
The National Institute of Standards and Technology and the Department of Homeland Security took the wraps off the National Vulnerability Database this week, but questions still remain whether the federal initiative improves upon existing databases or just adds another choice to the current collections of flaws.
The National Vulnerability Database (NVD) is the latest U.S. Department of Homeland Security initiative to boost the preparedness of the nation's Internet and computer infrastructure, as called for by the Bush Administration's National Strategy to Secure Cyberspace. The strategy's incident response initiative, known as the US Computer Emergency Readiness Team (US-CERT), releases some information on serious vulnerabilities, but little or no information on noncritical vulnerabilities, said Peter Mell, a senior computer scientist at NIST and the creator of the NVD.
"My intention was to publish something on everything else," Mell said. "The mission is for every person in the United States to have information on all the vulnerabilities on their computer systems."
The National Vulnerability Database is managed by NIST but funded through the Department of Homeland Security. The group's staff adds 8 new vulnerabilities to the the database each day and keeps a variety of current statistics, including a measure of the workload that the release of such flaws has on network administrators.
The creation of the federal collection of flaws comes as security researchers and companies continue to debate the best way to disclose vulnerability information. In July, Cisco and a former researcher for Internet Security Systems resorted to legal maneuvering after the networking giant took exception to researcher Michael Lynn describing a method to run code on Cisco routers. The same month, networking firm 3Com announced it would start buying information about new vulnerabilities from researchers, a controversial business model that few other organizations have adopted.
The National Vulnerability Database avoids much of the controversy by only including public information in its collection of flaws. The project scans the Common Vulnerability and Exposures (CVE), a listing of serious vulnerabilities maintained by the Mitre Corporation. The NVD expands on the Internet Catalog (ICAT), a previous NIST project, that archived the vulnerabilities defined by the Common Vulnerability and Exposures list.
The CVE definitions are one of the standards that the National Vulnerability Database depends on, said NIST's Mell. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language, he said.
The reliance on standards gained the effort some plaudits from representatives of security companies that rely on such databases.
"We believe there is a need in the market for an aggregator to bring together all the information from all the different sources," said Gerhard Eschelbeck, chief technology officer of vulnerability assessment service Qualys. "But we want the organizations to use all the open standards."
Another emerging standard for rating the severity of flaws, known as the Common Vulnerability Scoring System (CVSS), should also be used, Eschelbeck said. Researchers from Qualys, Cisco and Symantec--the owner of SecurityFocus--initially developed the standard, which is now managed by the Forum of Incident Response and Security Teams (FIRST).
While the National Vulnerability Database does not yet use the system, Mell has already contacted US-CERT about adopting the system.
"At US-CERT, they are very interested," he said. "They are actually having a meeting to discuss the CVSS soon."
However, adherence to the one of the standards, CVE, is not necessarily a plus, said Brian Martin, content manager for the Open-Source Vulnerability Database (OSVDB).
"If a vulnerability is discovered and not in the CVE database, NVD will not contain it either," Martin said. "While CVE is getting a lot better at looking to alternative sources for vulnerability information, they may still miss stuff."
The OSVDB team's goal is to be a comprehensive resource for vulnerability information, he said.
"Even with our very limited volunteer staff and inability to fully keep up with influx of new vulnerabilities, what we lack in thoroughness at this time we make up for in services and diversity," Martin said. "One point that OSVDB has been harping on for the last two years is that it's almost twenty years (after the first database) and the databases are still not evolving," Martin said.
SecurityFocus also maintains a database of vulnerabilities based, among other sources, its Bugtraq security mailing list. Other security companies maintain their own private databases that they share with customers.
Such databases are not competitors but complimentary to the federal effort, said NIST's Mell. The National Vulnerability Database can respond to the needs of government administrators and create a standard for what should be included in such databases, he said.
"It is so important for the world to have multiple vulnerability databases, that I think it is great that there is more than one," Mell said. "You never know if funding will get cutoff or if one goes under, so I think we should always have more than one."