The NIST/NVD situation and vulnerability management programs
In the infosec world we continually preach about “defense in depth,” or layered security. The idea is that if a defensive measure at one layer fails, there are additional layers behind it that serve as a safety net. An interesting application of these concepts comes in examining the data feeds that provide information to our security tools. If one of the feeds goes down, will our security tooling continue to work as expected?
This recently came to light when the National Institute of Standards and Technology (NIST) announced that it cannot keep up with the number of software bugs being submitted to the National Vulnerability Database (NVD). According to NIST itself, it has only analyzed roughly one-third of the Common Vulnerabilities and Exposures (CVEs) submitted this year. Since many organizations rely on NVD information in their vulnerability management programs, this is distressing news. For organizations in this situation, the question then becomes: How do we minimize the impact of the NIST backlog?