NIST’s NVD has encountered a problem

2024-03-19 13:44

Vulnerability management solutions rely on NVD. In the meantime, enterprise defenders have effectively lost a critical resource, since many vulnerability scanners and other vulnerability managament tools rely on the CPE entires set by the NVD to pinpoint and address security vulnerabilities affecting an ogranization's systems.

NVD is not the only vulnerability database out there.

The existence of these databases has made NVD's stumble a "Non-event" for his company, he added, "But not every scanners uses these and many folks still rely on the NVD every day."

Companies such as Rapid7 and Qualys had to reassure customers that its products don't depend on NVD as the only source of vulnerability and risk information.

Despite its faults, NVD is obviously still a crucial resource that currently has no suitable replacement when it comes to delivering crucial metadata about vulnerabilities in proprietary software.

"The NVD needs to continue to operate at least in the near term, but it can no longer be accepted as the most important vulnerability database worldwide. There needs to be a short-term solution, a database in which new CVEs will include for open source software, and other identifiers for proprietary software, as well as intelligent devices," Alrich opined.

News URL

https://www.helpnetsecurity.com/2024/03/19/nvd-vulnerability-management/

#nist