NIST Database Tracks Software Weaknesses

By Paul F. Roberts  |  Posted 2005-08-22

The Federal Government, often criticized for its slow response to security vulnerabilities and attacks, has launched a new database of software flaws designed to help IT administrators stay ahead of attacks that use those holes.

The NVD (National Vulnerability Database) was launched Aug. 11 by the National Institute of Standards and Technology and already contains information on almost 12,000 vulnerabilities. The new database complements other sources of vulnerability data, such as The Mitre Corp.s CVE (Common Vulnerabilities and Exposures) list, and provides IT administrators with tools for researching vulnerabilities on a wide range of software, said Peter Mell, NVD project lead and a senior scientist at NIST.

Federal security takes home a D+ report card. Click here to read more.

The new database is funded by the Department of Homeland Securitys National Cyber Security Division and builds on vulnerability information published by Mitre. NVD is synchronized with the CVE list every 5 minutes, importing raw vulnerability data from Mitre.

NVD replaces an earlier NIST vulnerability database called ICAT and improves the vulnerability research and analysis tools available with that older database, said Alan Paller, director of research at The SANS Institute, in Bethesda, Md.

IT administrators will be able to locate information about vulnerabilities in products more easily using NVD. That will be especially important to users of products from smaller technology vendors that cannot devote the same resources to vulnerability research and disclosure as software giants such as Microsoft Corp. can, Paller said.

Mitres CVE is a bare-bones dictionary of software vulnerabilities with little useful information for IT administrators. In contrast, NVD presents detailed information on the range, scope and impact of software vulnerabilities.

Click here to read about how the private sector and the feds are teaming up against phishing.

"NVD complements US-CERT alerts and vulnerability notes and fills out the [DHS] suite of vulnerability offerings," he said.

IT administrators access NVD through a Web-based portal. As new data arrives in the system, it is reviewed by NIST experts, who fill in information about the severity and impact of the security holes, as well as US-CERT lists of affected products.

NVD will greatly expand the amount of publicly available information about software vulnerabilities, especially noncritical software holes, with links to more than 50,000 vulnerability notes from private-sector companies, in addition to data from government sources, Mell said.

"Were expanding coverage of government advisories by an order of magnitude," Mell said.

Researchers can download the entire NVD database, free, for use with security products, services and reports. NIST also publishes an XML information feed for the database that will update researchers on the most recently published vulnerabilities in NVD.

Check out eWEEK.coms for the latest news, views and analysis of technologys impact on government and politics.

Rocket Fuel