TMCnet Feature
June 25, 2020

Using Open Vulnerability Databases to Improve Your Security Posture



Many private companies, governments, banks, and every viable industry are working on digitizing their services and offering web-based solutions. As more data streams throughout the world, so do vulnerabilities. When left unchecked, vulnerabilities often turn into exploits. In this article, you will learn what are vulnerability databases, and how you can use them to improve your security posture.



What Are Vulnerability Databases?

Vulnerability databases are collections of information regarding vulnerabilities and security threats. These platforms are used to aggregate, maintain, and share information with security communities to boost the security posture of organizations and individuals.

Often databases use a standardized method of organizing and ranking vulnerabilities. For example, many databases use Common Vulnerabilities and Exposures (CVE) IDs in combination with the Common Vulnerability Scoring System (CVSS) to indicate severity and potential risk.

Databases can include a wide variety of vulnerabilities and threats. Some of the most common inclusions are:

  • Initial deployment failures—vulnerabilities in hardware or software created during deployment, including default security settings, weak passwords, or poor security controls.
  • Exploitation of bugs—includes issues such as remote code injection or buffer overflow. These vulnerabilities take advantage of insecure coding practices or environmental conflicts.
  • Misconfiguration—frequently related to permissions issues. Organizations may leave resources publicly available or fail to restrict network and application traffic.
  • Zero-day vulnerabilities—a software vulnerability that is discovered by hackers before the organization has become aware of it. Attackers can easily exploit the vulnerability knowing that no defenses are in place.

Why Do You Need Vulnerability Databases?

Vulnerability databases are useful tools for ensuring that you remain aware of possible threats to your systems. These tools enable you to benefit from the efforts of the larger security community and the work of security researchers.

Databases are the most effective way to stay up-to-date on vulnerabilities as issues are announced. Without these platforms, you would be responsible for actively seeking out information about each component in your system and managing patches accordingly.

In particular, databases can provide the following benefits:

  • Provide a centralized source of information on vulnerability identification, relevance, and remediation.
  • Facilitate communication of information related to vulnerabilities in a standardized way.
  • Promote accountability for vulnerabilities in vendors since information is transparent and publicly available.
  • Ease collaboration by providing a universal language for vulnerability identification and level of risk.

How Vulnerabilities Get Reported

How vulnerabilities are reported depends on the database an issue is reported to. Some databases only aggregate information collected by others while some are compiled from independent research. Many databases, however, receive reports from independent researchers, users, and vendors.

Ideally, when a vulnerability is discovered, it is reported directly to the vendor or if it is open-source, to the project maintainer. This enables creators to access the issue and develop a patch before the vulnerability is made public. Typically, developers are granted a grace period of 30 to 90 days before a vulnerability is announced. This prevents criminals from abusing vulnerability information before organizations can patch the issue.

After a vendor or project maintainer has been notified, reporters generally also notify MITRE. MITRE is a non-profit organization, sponsored by the U.S. government. It is responsible for maintaining one of the largest vulnerability databases and has created the CVE structure used to identify vulnerabilities. Its database is also frequently referred to as CVE.

When MITRE is notified of a vulnerability, it assigns the issue a number and publishes the information to the public after the grace period ends. CVE is publicly accessible, meaning that once a vulnerability is announced, affected organizations need to take immediate action to remain protected.

Although many vulnerabilities are reported in the manner covered above, this process is not mandated in any way. It is up to the discoverer or vendor to report as they see for. While it is unlikely that vulnerabilities in proprietary software are not reported, this is not the case for open-source projects. In particular, smaller projects may only report vulnerability information to an immediate community such as a forum or mailing list.

Top Vulnerability Databases

There are many vulnerability databases available to choose from. Many of these databases duplicate data but often also contain unique information. To ensure that you remain as informed as possible, you should follow multiple databases. Ideally, you should ingest database data directly with vulnerability monitoring and scanning solutions.

National Vulnerability Database (NVD)

NVD is a database that gathers information from CVE and adds analyses to help security professionals better understand how to prevent and address vulnerabilities. It is managed by the U.S. government and is publicly available.

When entries are added to NVD, information includes security checklist references, affected products and configurations, level of risk, and recommended remediation steps. This information is used to inform NVD’s Security Content Automation Protocol (SCAP), a framework for automating vulnerability management.

CERT Vulnerability Notes Database

The Vulnerability Notes Database is a collection of vulnerability information that is primarily collected from independent research and privacy disclosures. It is operated by the Software Engineering Institute of Carnegie Mellon University. Collected vulnerabilities include summaries of technical details, affected vendors, and information for remediation.

Vulnerability Lab

Vulnerability Lab is an open-source database maintained by WhiteSource, a security company for open-source software. Entries include information about vulnerability language, type, severity level, exposure volume, and suggestions for remediation. You can search for vulnerabilities by CVE or project name, although some vulnerabilities come from outside the NVD database and don’t include a CVE.

VulDB

VulDB is an open-source database that includes over 150k entries. It enables you to search for vulnerabilities by a wide range of criteria and provides visualizations for threat trends. Most information in the database is provided to the public for free but advanced stats and tools are available with a subscription.

Security Focus Vulnerability Database

Securityfocus is a publicly available database of vulnerabilities. It enables you to search by vendor, title, version, and CVE.

As a supplement to this information, Security Focus also manages BugTraq, a full-disclosure, high-volume mailing list that includes detailed vulnerability discussions and announcements. This list is a longstanding feature of the Internet security community and can provide comprehensive information about many vulnerabilities.

Conclusion

Vulnerability databases collect information about new and known vulnerabilities. Each database reports vulnerabilities differently, but most often the MITRE organization currates the majority of reports, and classifies vulnerabilities.

Usage of these vulnerability databases is typically free. Some databases are run by government entities or non-profit organizations, while others are run by private bodies. You can make use of the databases by checking the viability of your systems.

Each year sees an increase in vulnerabilities, with 2019 ending with a 17.6% increase and a total of 20,362 new vulnerabilities reported. When vulnerabilities aren’t addressed, they become exploited. While not all exploits end in a successful breach, most do. So, keep your systems and networks protected by keeping an eye on vulnerabilities and prioritize mitigation.

--------------------

Author Bio: Eddie Segal

I'm an electronics engineer with a Master’s Degree from Be’er Sheva University, a big data and web analytics specialist, and also a technology writer. In my writing I cover subjects ranging from cloud computing to agile development to cybersecurity and deep learning.

LinkedIn (News - Alert): https://www.linkedin.com/in/eddiesegal/



» More TMCnet Feature Articles
SHARE THIS ARTICLE

LATEST TMCNET ARTICLES

» More TMCnet Feature Articles