Spanning 1. 0 pages, likely for extra ad revenue, the sub- title reads: Keeping up with the latest vulnerabilities — especially in the context of the latest threats — can be a real challenge. One would hope this article would help with that challenge, and it most certainly is one. First, a disclaimer; I was involved with OSVDB for roughly 1. Further, I am now involved with Risk Based Security’s Vuln. DB commercial vulnerability database offering.

Both of these are mentioned in the article, so my comments below will most certainly have some level of bias. To help readers, Sean Martin writes “In no particular order, here are nine key vulnerability data sources for your consideration.” With that, flip to the next page of the article.

Electronic Arts Inc. Founded and incorporated on May 28, 1982 by Trip Hawkins, the.

It’s important to understand the source — and backing for your source — to avoid getting left without a solid vulnerability database. A good example is the case where many had to say goodbye to their vulnerability feed when minority- player Open Source Vulnerability Database (OSVDB) was shut down.“Not having OSVDB any longer, while sad for those that relied on it, may actually reduce the complexity in making sure there is integration across all products, MSSPs, services, and SIEMs,” says Fred Wilmot, chief technology officer at Packet. Sled. I am not sure how OSVDB constituted a “minority- player” in any sense of the term given the broad coverage for a decade. While historical entries were often incomplete, the database was commercially maintained from just before January, 2. Since the quote specifically mentions that OSVDB shut down, and it did on April 5, 2. OSVDB shutting down, I would argue, does not reduce the complexity of anything for those knowledgeable about vulnerability disclosure.

On the surface, sure! One less set of IDs to integrate across products sounds like a good thing. However, you have to also remember that OSVDB was cataloging thousands of vulnerabilities a year that were not found in the other sources listed in this article. That means there is a level of complexity here that is horrible for companies trying to keep up with vulnerabilities. Page 3 tells readers about NIST’s National Vulnerability Database (NVD): NVD is the US government repository of standards- based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance.

NVD is based on and synchronized with the CVE List (see next slide). First, since NVD is synchronized with CVE, it is curious that they are listed as separate sources. For those not aware, NVD is a sort of . Monitoring NVD means you are already monitoring all of CVE and getting the additional meta- data.

It is also important to note that the meta- data is outsourced to a contractor who employs . This becomes apparent if you consume there data and actually look at their CVSS scores over the last ~ 8 years. Personally, I stopped emailing them corrections many years back due to the volume involved. To this day, you can still often see them scoring Adobe Flash vulnerabilities as CVSSv.

Seems minor, but that reclassifies a vulnerability from . CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. Morey Haber, VP of technology at Beyond. Trust, offers these examples: Scanning tools most commonly use CVEs for classification. SIEM technologies understand their applicability in reporting. Risk frameworks use them as a calculation vehicle for applied risk to the business. First, I cannot over- share Steve Ragan’s recent article titled “Over 6,0.

MITRE’s CVE project in 2. Consider just the headline, and then think about the fact that CVE does not catalog at least 4. Now, re- read Haber’s examples of how CVE is used and what kind of Achilles’ heel that is for any organization using security software based on CVE. Fred Wilmot’s quote about CVE is what prompted me to write this entire blog. This is so incredibly wrong and misleading: “Now that you have a common calculator for interoperability among vendors, the fact that CVE is maintained completely transparently to the community is a HUGE pro,” says Fred Wilmot, chief technology officer at Packet. Sled. It’s altruism at its best. The weakness in the CVE comes in the weaponization of that information and the lack of disclosure for profit and activism, as two examples.”Where to start.

Installation and operation. Web conferencing software is invoked by all participants in a web meeting. Some technologies include software and functionality that. Get the latest science news and technology news, read tech reviews and more at ABC News. Sri Lanka's Export Sector records a five percent growth The export sector, a key driver of the economy rebounded from last year’s sluggish pace to record a five. MEETING ENTRY TIME You can prevent attendees from joining your meeting before you are ready. Tradeleads directory - Bizeurope.com, European business directory - import database, export database, business directory, leads and resources.

That isn’t what CVE is or does. CVE is most certainly not maintained transparently to the community. It is not maintained transparently to the volunteer Editorial Board (now known simply as the . The backroom workings and decisions MITRE makes on behalf of CVE without Board or public input have been documented before.

The last decision that lacked any transparency was their recent catastrophic decision to change the CVE format to a new . If you have any doubt about this being a backroom decision, look at the first reply from CVE Board member Kurt Seifried.

Dummies has always stood for taking on complex concepts and making them easy to understand. Dummies helps everyone be more knowledgeable and confident in applying. Online meeting apps, extensions and integrations for Adobe Connect web conferencing software. Digital Camera Profits For The Amateur Photographer Exe. InformationWeek.com: News, analysis and research for business technology professionals, plus peer-to-peer knowledge sharing. Engage with our community. If you’ve even glanced at the news lately, you’ve probably seen or heard the term “collusion” when referring to President Trump’s senior staff being accused.

Wilmot’s characterization that CVE is “altruism at its best” also speaks to a lack of knowledge of CVE. While MITRE, the organization that maintains CVE, is technically a not- for- profit organization, they only take non- compete contracts at incredible expense to the U. S. CVE, and a handful of other . In 2. 01. 5, they enjoyed over $1. The fact that the contract to maintain CVE is non- compete, and cannot be bid on by companies more qualified to run the project, speaks to where the real interest lies and it isn’t altruistic.

The weakness in CVE is certainly not the “weaponization” of that information. A significant majority of weaponized exploits that lead to the thousands of data breaches and organizations being compromised are typically done with functional exploits that enjoy little technical information being made public. For example, phishing attacks that rely on Adobe Reader or Adobe Flash are usually patched by Adobe eventually, and the subsequent disclosure has no technical details.

Even if researchers post more details down the road, the entries in CVE are rarely updated to include the additional details. The last bit of Wilmot’s quote, I will need someone to explain to me. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors. Most Vulnerability notes are the result of private coordination and disclosure efforts. For more comprehensive coverage of public vulnerability reports, consider the National Vulnerability Database (NVD).“This is nice to have, but it still uses CVEs as reference,” says Fred Wilmot, chief technology officer at Packet.

Sled. However, it’s probably a good place to spend time during an investigation.”The CERT VNDB is not a comprehensive vulnerability database, and does not aim to be one. As mentioned, their information is primarily via their assisting researchers in coordinating a disclosure with a vendor. Since CERT is a CNA, meaning they can assign CVE IDs to vulnerabilities they coordinate, it means that over 9. CVE and thus NVD. Monitoring NVD will get you all of CVE and almost all of CERT VNDB.

The very few CERT VU that do not get CVE IDs assigned before disclosure are rare, and I believe they get assignments shortly after from MITRE. Once again, Wilmot speaks about these sources and doesn’t appear to have real working knowledge which personifies my term . CERT VNDB disclosures appear on their site before they appear in CVE or NVD. It may be 2. 4 – 7. CVEs as a reference, for timely monitoring of vulnerabilities it may be important to keep an eye out on CERT directly. Next, Wilmot goes on to say “NVD is not nearly as practical to consume directly as CVE”, apparently not realizing that NVD makes its data available in XML.

While MITRE makes the CVE data in several formats, it doesn’t mean NVD is not easy to consume. The most important distinction here is that NVD comes with CPE data where CVE does not. For any medium to large organization, this is basically mandatory meta- data for actually putting the information to use.