Whether the cause is insurmountable technical debt, lack of funds, a third reason or all of them, NIST's National Vulnerability Database is struggling, and it's affecting vulnerability management efforts.
NIST hasn't further explained wherein the problem lies, nor did it say when the cybersecurity community might expect the problem to be solved.
According to Tom Alrich, leader of OWASP SBOM Forum project, Tanya Brewer, the head of the NVD, might offer more information and answer questions this week.
Vulnerability management solutions rely on NVD. In the meantime, enterprise defenders have effectively lost a critical resource, since many vulnerability scanners and other vulnerability managament tools rely on the CPE entires set by the NVD to pinpoint and address security vulnerabilities affecting an ogranization's systems.
NVD is not the only vulnerability database out there.
Companies such as Rapid7 and Qualys had to reassure customers that its products don't depend on NVD as the only source of vulnerability and risk information.
Despite its faults, NVD is obviously still a crucial resource that currently has no suitable replacement when it comes to delivering crucial metadata about vulnerabilities in proprietary software.
A positive thing about the current situation is that the many NVD drawbacks are now being outlined and discussed again, and that a workable solution MUST be found.
Whether that means the end of NVD or drastic changes for the project remains to be seen.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 19 Mar 2024 14:13:05 +0000