Selasa, 16 Agustus 2005

National Vulnerability Database

I learned today the National Vulnerability Database (NVD) has replaced the old NIST ICAT system. The NVD describes itself this way:

"NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard."

There's a link to a workload index, whose URL includes the term "threatindex" (groan). On that page we read:

"Workload Index Information

This index calculates the number of important vulnerabilities that information technology security operations staff are required to address each day. The higher the number, the greater the workload and the greater the general threat represented by the vulnerabilities."

I think the last sentence should instead read:

"The higher the number, the greater the workload and the greater the general risk represented by the vulnerabilities."


I am not sure what the Open Source Vulnerability Database (OSVDB) thinks of the NVD. There is a blog posting about NVD, but no commentary by OSVDB members. I think the OSVDB needs to remain as a place that is independent of US government control. If a truly severe vulnerability is found, who is more likely to publish it first -- nvd.nist.gov or www.osvdb.org?

On a note related to vulnerabilities, here is a list of vulnerability or attack description projects.


These are papers on related subjects:

0 komentar:

Posting Komentar