NIST is chipping away at NVD backlog
The National Institute of Standards and Technology (NIST) is clearing the backlog of unprocessed CVE-numbered vulnerabilities in the National Vulnerability Database (NVD), but has admitted that their initial estimate of when they would finish the job was “optimistic”.
About the NVD
The National Vulnerability Database is a public repository of vulnerabilities that have been published on MITRE’s CVE List.
“NVD staff are tasked with enrichment of CVEs by aggregating data points from the description, references supplied and any supplemental data that can be found publicly at the time. This enrichment results in association impact metrics (Common Vulnerability Scoring System – CVSS), vulnerability types (Common Weakness Enumeration – CWE), and applicability statements (Common Platform Enumeration – CPE), as well as other pertinent metadata,” NIST explains.
NIST’s analysts don’t test the vulnerabilities themselves, but rely on vendors, security researchers and vulnerability coordinators to share information that will allow them to assign (and periodically update) those attributes.
The NVD is a significant source of infromation for vulnerability scanning and automated vulnerability managament tools. As such, its health is crucial for the security of organizations that depend on them.
Problem-solving
Problems with the NVD started earlier this year, when NIST said it has been having difficulties with updating the vulnerability entries due to several reasons.
But they started working on longer-term solutions and said they were considering many changes to future-proof the NVD.
Since then, NIST has hired Maryland-based Analygence to help them develop, test, and deploy web applications and web-based services for its Cybersecurity and Privacy Platform (CPP).
“Additionally, Analygence will be supporting NIST in designing and testing a novel approach to reducing measurement uncertainty in vulnerabilities found in information technology systems, industrial control systems, and medical devices by standardizing the description of vulnerabilities through a structured characterization format, a vulnerability ontology or ‘Vulntology,'” the company shared at the time.
Getting back on track
In the update published on Wednesday, NIST says that they now have a full team of analysts and that they are addressing all incoming CVEs as they are uploaded. “In addition, we have addressed all Known Exploited Vulnerabilities (KEVs) that were in the backlog, and we are processing all new KEVs as they come in.”
Unfortunately, the entries for backlogged vulnerabilities that are not under active exploitation are still a work in progress, because the data they receive from Authorized Data Providers (ADPs) “are in a format that [they] are not currently able to efficiently import and enhance.”
“To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently. We are working to complete this project as quickly as possible and will continue to provide updates on our progress to this NVD Updates page,” the agency concluded.