NIST: Upgraded Vulnerability Database Enables Security Automation Advances
September 30, 2008 // Published as a news service by IHS
| |
| Defense & Security Tools |
IHS sells defense, military and security information services to meet the needs of today's engineers. To learn more, and for a free quote, please complete the form below. |
|
Facilitating efforts to automate important computer security tasks, the National Institute of Standards and Technology (NIST) upgraded the National Vulnerability Database (NVD), a comprehensive repository of public information on potential vulnerabilities in computer systems.
The upgrade centers on the NVD's dictionary, which identifies names of products, such as operating systems and applications.
The new version, NVD 2.2, conforms to a product-naming protocol known as the Common Platform Enumeration (CPE). With NVD 2.2, the official CPE dictionary of 15,500 products is now incorporated into the NVD data.
More than 80,000 updates to the NVD vulnerability data were made in preparation for this upgrade, experts said. The CPE standard enables the NVD product dictionary to achieve a new level of rigor and quality and enables advances in security automation.
In the earlier NVD product dictionary, data was usable only for human consumption because its structure was loosely defined. The new dictionary, however, enables the data to be used for automated, machine-to-machine communications.
NVD 2.2 enables security tools and databases to correlate information with each other based on standardized product identifiers. For example, a database of network assets (which would list hardware and software, as well as patches and service packs) can be correlated with a database of security vulnerabilities to identify which vulnerabilities might be present on instances of software. This is made possible because NVD links its large repository of vulnerability information to standard product names.
NVD data and CPE is used within the computer security specification known as the Security Content Automation Protocol (SCAP). SCAP technology is used by initiatives of the U.S. Office of Management and Budget (OMB), General Services Administration (GSA) and the U.S. Department of Defense (DOD).
Experts said the NVD adoption of CPE and NIST's maintenance of the CPE dictionary will promote standardization of product names throughout the federal government and into much of commercial industry.
NVD was developed by researchers in NIST's computer security division with support from the U.S. Department of Homeland Security (DHS) National Cyber Security Division. For more information, go to http://nvd.nist.gov.
Source: National Institute of Standards and Technology (NIST).