Many moons and a few eclipses ago, I wrote my master’s thesis on Common Vulnerabilities and Exposures and the National Vulnerability Database, or NVD. Back then, I was pretty nerdy about these things. Recent events have me thinking back to those days, the promise of the NVD, and how we got to where we are today.

Built up over nearly thirty years, the NVD is a core, critical piece of infrastructure that’s used by the vast majority of the world’s cybersecurity organizations. Thus, it’s a serious issue that the NVD has not been updated consistently by the National Institute of Standards and Technology, or NIST, since early February.

While many in the industry point fingers at NIST, responsible for managing the NVD, almost nobody is looking in the mirror. As an industry, we must accept our share of the blame for this situation. The result of this dysfunction means that all of the work we did almost 20 years ago to standardize and share information is rapidly unraveling in front of our eyes.

NVD: A brief history

During the internet boom, we had all these scanners to identify vulnerabilities, but they had different identification schemes (created by each vendor) to identify the same vulnerabilities. This duplication was often counterproductive. The response was to build a unified system that we all can contribute to, to create a single language in which we could track our vulnerabilities and share information. The plan was to have a consistent identification scheme, so everyone would be on the same page. With a common language and information sharing, it had all the hallmarks of early internet optimism.

The NVD was established by NIST in 2005 to serve as a resource for standards-based vulnerability management data. It’s a practitioner resource that provides checklists, insights on software flaws, and impact metrics that enable automation and compliance, all rolled up into a Common Vulnerability Scoring System.

And it’s been a success. A publicly managed resource for the private sector, providing transparent resources, data and a unified scoring system to understand vulnerabilities and risk prioritization. Everyone was singing from the same sheet of music, at least until this year. The latest update from NIST on April 25, 2024, communicated a shocking development:

“There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis,” it said. “This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support. Currently, we are prioritizing analysis of the most significant vulnerabilities.

“In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well,” it said. “We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.”

The seriousness of this issue was highlighted in the 2024 Verizon Data Breach Investigations Report released on May 1, which found:

— The number of attacks that involved the exploitation of vulnerabilities nearly tripled over the previous year.

— It takes around 55 days to remediate 50% of those critical vulnerabilities once their patches are available.

Vendor scoring

The NVD as a central repository for analyzing and understanding vulnerabilities can only be fully appreciated in its absence. Without that common source of standardized information for all, we are left with dozens of vendors competing for the title of “single source of truth”. The result is not clarity and truth, but clutter and confusion.

There are too many self-interested vendors pushing their own vulnerability scoring. The issues are obvious:

— Inconsistent scoring across vendors leads to different severity scores for the same issue. Some update scores as information about exploits change, while others treat them as a static moment in time.

— The resources and skill sets of each vendor assigning scores can vary greatly

— Is the score focused on compliance or risk?

Private, public collaboration

As an industry, we haven’t done a good job of collaborating between the private and public sectors to achieve the best outcome. In the area of vulnerability management, it’s been a one-way street.

We expect the federal government to continue to fund this critical resource without clear expectations on how to give back to the program. The private sector has just been taking from the government in this particular area, and there’s pretty minimal investment from the private sector back into the NVD. Now NIST is stuck asking for sponsors because they do not have enough money to keep up with the ever-increasing workload of analyzing and documenting new vulnerabilities.

We can see what a mess vulnerability management is without NIST playing its central, multi-decade role as the transparent arbiter of information. Without them, we’re left with a wholly inefficient process and entirely too many chefs.

With NIST, it takes 55 days to remediate 50% of critical vulnerabilities once their patches are available. Now imagine having to wade through multiple vendor scores, trying to decide what angle they are coming from, analyzing how complete and thorough their data is, and when it was last updated, and so on.

We’re walking straight into a mess at a time when threat actors are more focused than ever on exploiting zero-day vulnerabilities. Let’s fix the NVD together. Time is not on our side.

Scott Kuffer is COO & co-founder of Nucleus Security.

In Other News
Load More