- NVD is the U.S. government repository of standards based vulnerability
management data. This data enables automation of vulnerability management,
security measurement, and compliance.
The NVD represents a collection of Common Weakness Enumeration Specification (CWE) entries that provide a common language for discussing, finding and dealing with the causes of software security vulnerabilities. Each individual CWE entry represents a single vulnerability type. CWE is currently maintained by the MITRE Corporation, with support from the National Cyber Security Division (DHS). This list provides a detailed definition for each individual CWE.
All individual CWEs are held within a hierarchical structure that allows for multiple levels of abstraction. CWEs located at higher levels of the structure (i.e. Configuration) provide a broad overview of a vulnerability type and can have many children CWEs associated with them. CWEs at deeper levels in the structure (i.e. Cross Site Scripting) provide a finer granularity and usually have fewer or no children CWEs.
NVD integrates CWE into the scoring of CVE vulnerabilities by providing a cross section of the overall CWE structure. NVD analysts score CVEs using CWEs from different levels of the hierarchical structure. This cross section of CWEs allows analysts to score CVEs at both a fine and coarse granularity, which is necessary due to the varying levels of specificity possessed by different CVEs. As of 9/2014 the NVD contained a list of 64,098 vulnerabilities.
The first step in preparing for the acquisition of additional security expertise from manufacturers, vendors, security services providers and consultants calls for the identification of information assets that are vulnerable to cyber attacks. This should be based on public intelligence about the characteristics of already known breaches in information security. Public knowledge about cyber attacks should be then supplemented with an examination of data from the National Vulnerability Database (NVD). Concentrated attention should be given to an understanding of information obtained from the security flaws listed in the Common Vulnerabilities and Exposures (CVE) database.
Short-term actions should then proceed with an examination of the immediate threats confronted to networks in place, as notified from the Computer Emergency Response Team (CERT) advisories. Communications with CERT cannot be interrupted (24/7) in order to capture information about any “zero day” security exploits that need immediate corrective action.
Intermediate-term actions will call for the evaluation and validation of offerings from the existing vendors and suppliers to find what can be accomplished with the installation of more robust cyber flaw countermeasures. Such actions may require enhancement of existing security methods or a complete replacement of security methods that are already in place.
Long-term actions can for a complete reappraisal of the risk environment for an enterprise. This should deal with a 3-5 year projection of what are new vulnerabilities as the attacker technologies are improved and the digital presence of employees, contractors and suppliers starts offering a much larger risk surface must be defended.